Skip to main content

Cyber-Security: Preventing live chat data breaches

(Image credit: Image source: Shutterstock/lenetstan)

Ticketing retailer Ticketmaster disclosed “a widespread hack that compromised the payment and personal details of tens of thousands of British customers” in June 2018, writes Elias Jahshan for the Retail Gazette on 28th June 2018. Although the breach occurred with an American vendor’s automated chatbot solution, and not with live chat software, cyber-attacks can still present a potential threat. After all, to be forearmed is most certainly to be forewarned. 

Cyber-security can’t be an afterthought. Having the right cyber-security strategies in place for live chat or even for chatbots, and the entire enterprise, is also much cheaper than having to clear up the mess that occurs after a data breach. More to the point, a survey by global information management specialists Crown Records Management, finds that 78% of people would avoid a firm after a data leak. 

Severe consequences

So, the consequences of a successful cyber-attack include downtime, which can cost time, money, brand value, potential and existing customer relationships. With the European Union’s General Data Protection Regulations (GDPR) now in force, breaches can now attract some tough fines too. 

So, the data breach suffered by Ticketmaster could in theory lead to some severe penalties – of which there are two administrative tiers. The imposition of any fines under the regulations must be “effective, proportionate and dissuasive”, and much depends on the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement and other factors. 

At the first tier, companies can be fined up to “€10 million, or 2% annual global turnover – whichever is higher”; or for the more severe breaches the fines can be “up to €20 million, or 4% annual global turnover – whichever is higher.” Although Ticketmaster claims it has complied with GDPR, media reports see the data breach that affects an estimated 40,000 British customers as a litmus test.  After all, the duration of the breach was a matter of months, potentially affecting anyone who tried to buy tickets between February and 23rd June 2018. 

Consequently, some journalists predict that this may lead to a hefty fine - particularly as Mark Bridge, Technology Correspondent and Frances Gibb, Legal Editor of The Times claim that the company was warned about the breach back in April 2018.  Ticketmaster has also confirmed that the breach affected 5% of its global customer base. If 25% of its customer base were affected by the breach, which was caused by malicious software, then the breach and any subsequent fines would be more severe. So, from a GDPR perspective, the customers’ data should have been more stringently protected.

Live chat confidence

Organisations are nevertheless confident about the implementation of live chat. Subsequently companies are choosing to optimise the channel in several ways by placing links to it in social media posts, digital documents, and email signatures. It has also become a vital part of some organisations’ digital transformation strategies as well as disaster recovery strategies.

In contrast, chatbots are a newer technology that has a whole lot of buzz around it. They have seen a 19% functionality growth rate over the last 2 years, and more organisations are expected to implement them by 2020. However, from a cyber-security perspective it’s not a case of one being better than the other because much depends on how the live chat or chatbot solutions provider approaches cyber-security with their clients. 

Chat with security

A live chat solutions provider such as Click4Assistance, will always ensure security is a priority.  This will involve ringfencing data on quarantined servers, encrypting data at the highest levels, blocking any malicious code that’s entered into a live session, doing regular and extensive testing including penetration testing to ensure data resilience. Unfortunately, the American provider security left their chatbot wide open for the malicious attack. So, the foundations of the infrastructure need to be in place and thoroughly tested before providing it to clients, and even they should audit live chat regularly. 

Live chat can also be used to protect individuals who want to talk anonymously without any threat that their identity will be revealed. Live chat solutions providers therefore need to work closely with their clients to ensure that their security and confidentiality requirements are met. In such a sensitive healthcare environment, this requires working with the group on a bespoke development project to mask chat transcripts to safeguard the interests of every individual approaching the organisation for whatever reason. 

Customers’ or patients’ personal data can also be encrypted while at rest using AES256 encryption. What this means is that if a breach did occur the data would be unreadable without a key. The key is stored in a safe with only access by the directors.

Don’t rush in

Intensive research and testing during the early procurement stages is vital before the implementation of any live chat or chatbot solution. This will ensure that each potential provider is not cutting any corners. It’s also important to take time and money to ensure that any implementations are introduced correctly to protect customer data from the outset rather than to risk its loss and then to have to pay fines. The pursuit of just looking for a quick solution can cause more problems that it’s worth. So, it’s advisable to take a precautionary approach from the beginning, which will involve due diligence. 

Everything implemented should therefore be risk assessed, and where applicable larger organisations will take the time to run the solution through their compliance team. Smaller companies may not have a dedicated team, but they should still try and be as thorough as possible. They aren’t immune from cyber-attacks – including ransomware. 

Being a cloud-based software-as-a-service (SaaS) solution, Click4Assistance supplies the service and infrastructure and it is responsible for maintaining live chat security.  In the event of an attack, the client isn’t the organisation that gets hacked. Live chat software providers like Click4Assistance are the ones to feel the full brunt of a cyber-attack. The clients’ own systems aren’t exposed to it, and this is enforced when a live chat provider adheres to cloud and data security standards. 

This will include secure coding practices, regular penetration testing, encrypting data at rest and in transit, and having a strong security framework in place that specifically deals with public facing interfaces. However, if the client chooses a solution which they wish to host themselves, then it becomes their responsibility for the security of the system and the infrastructure it resides in.

Choose carefully

I would therefore advise your own company to choose a live chat or even a chatbot provider carefully. This will involve going through several regulatory compliance procedures and require you to regularly undertake some stringent penetration testing.  There is also a need to monitor and to control user access and permissions – particularly as disgruntled employees can be a major source of a data leak, which may not always be caused by malicious software. 

Remember, too, that it is crucial to run regular audits and report what you find right up to board level if necessary. You after all need to ensure that senior executives are on board to give you the budget to protect your live chat or chatbot operations – whether they are used in customer service or in technical support. It is therefore an invaluable tool for many organisations, no matter in which market they operate. 

Gary Martin, Managing Director of Click4Assistance

Image Credit: Lenetstan / Shutterstock

Gary Martin is the Managing Director of the UK's premier Live Chat Software provider, Click4Assistance, which he established over 13 years ago in January 2005. Its clients include Which? and The Priory Group.