RICHMOND, Va. -- Skimming and data-security incidents at Shell and 7-Eleven locations nationwide have ranked the two chains No. 1 and No. 2, respectively, on a list of companies receiving multiple breaches in 2015, according to a recently released study.
Houston-based Shell had 14 reported instances, with Dallas-based 7-Eleven tying with Charlotte, N.C.-based Bank of America with 13 each.
Other convenience-store retailers and oil companies making the dubious list of Top 12 “repeat offenders” include Laval, Quebec-based Circle K, Irving, Texas-based ExxonMobil, Houston-based Marathon and Philadelphia-based Sunoco, the study reported.
- Click here to see which states had the most data breaches.
The fragmented nature of the retail convenience-store and gas-station business and the ease of accessing pumps not visible to cashiers encourage multiple breaches, said Barry Kouns, CEO of the Richmond, Va.-based Risk Based Security, which put out the study.
“When breaches happen to a company multiple times in a given period, you might think they’re not taking [data security] seriously,” Kouns told CSP Daily News. “But with gas stations, we’re not talking about one server [at corporate] being compromised, but [sites] that are independently run and operated by different people in many states.”
Chain operators and independents have different levels of sophistication and processes regarding data security, which leads to inconsistency, Kouns said. Added to the problem is the continued use of vulnerable, magnetic-stripe cards at the pump versus computer-chip cards and the growing expertise of data thieves.
“The attack methodology is working,” said Kouns. “And the bad guys will work it until it gets too hard or too risky.”
According to the study, Data Breach QuickView: 2015 Data Breach Trends, the total number of data-breach incidents were up 23% to 3,930 in 2015 from 3,192 in 2014. The number of exposed records, however, fell 33% to 736 million in 2015 from 1.1 billion the year before, the report said.
“Oil companies are doing what they can to encourage c-store chains and marketers to implement better data security, but clearly, it is not their responsibility,” said Shekar Swamy, president and senior security strategist for the risk-management firm, Omega, Ellisville, Mo. “It is the retailer who is responsible for maintaining data security at the retail chain.”
“In the end skimming and data breaches are here to stay,” Swamy told CSP Daily News. “I don’t see a quick escape hatch.”