With the rise in convenience-store loyalty personalization and customer data collection, there comes a greater risk in having sensitive customer information stolen or misused.
“When you deal with customer data, you want to make sure that you're doing everything you can to protect personally identifiable information,” said Rick Rigby, chief technology officer at Atlantis Management Group, Mount Vernon, New York.
Atlantis Management, a 103-store chain with stores in the Northeast, collects personal information from loyalty members when they sign up for the loyalty program, but the chain leverages best industry practices to protect it, Rigby said. The c-store chain keeps the data internal, and Rigby said that “having good cyber security practices with how you treat personally identifiable information is critical.”
- Atlantis Management Group is No. 69 on CSP’s 2025 Top 202 ranking of U.S. c-stores chains by store count.
One of the biggest risks in having this data is targeted phishing, says Ven Auvaa, director of information security at ArmorPoint, a security company based in Phoenix.
If a retailer’s loyalty program has been compromised, a phisher could gain access to customer contact information, shopping habits and history, said Auvaa. That allows for attackers to specifically target that user and offer deals on products that they regularly purchase or give them redeemable credits for items.
“If [a consumer] gets an email that looks like it's coming from a trusted retailer, and they know your shopping habits, then of course [the consumer is] going to think that they're trustworthy, but if that's coming from compromised data, then the risk is much higher,” said Auvaa.
Harjot Sahota, who was previously director of safety and asset protection at Aldergrove, British Columbia-based Otter Co-Op, which operates 25 convenience stores, agrees that data privacy issues are a significant concern, whether it’s phishing, hacking, malware or identity theft.
“These all pose a serious threat to individuals and organizations, and it’s really important for loss prevention and IT to work closely to ensure there’s security measures in place,” he said. “When we look at LP [loss prevention], we’re the experts in physical security, and IT are the experts in that cybersecurity, so it’s important for them to work together in a unified ecosystem to protect the organizations from potential threats.”
Retailers should watch for spikes in internet traffic, such as sudden large amounts of data going in or out, unusual login attempts to devices and strange activity around cloud-managed cameras or payment terminals.
“Not only do [cyberattacks] result in a loss of reputation, it results in customer distrust of that specific organization, but there are significant fees and penalties,” said Auvaa. “Certain states will have very specific regulations... an organization will have to pay out a fee for each different record that is exposed.”
For prevention, ArmorPoint offers tools like SIEM (Security Information and Event Management) and SOC (Security Operations Center), said Auvaa. These tools act like 24/7 digital watchdogs, tracking all store activity in one place so anything suspicious stands out.
Another best practice is following cybersecurity standards, such as Payment Card Industry Data Security Standard (PCI DSS), which are designed to ensure that all companies that process, store and transmit credit card information maintain a secure environment.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.