MEXICO CITY — Mexico’s largest department store chain, Liverpool, is facing a widening probe for failing to immediately notify customers about a hacker attack at Christmas.
“We started an audit process June 15 and hope to complete it in October,” Jonathan Mendoza, audits director at the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, a Mexican data-protection watchdog, told WWD. He added the regulator plans to visit Liverpool’s troubled headquarters in the coming days to check its data-security systems. Depending on what it finds, “we might sanction them,” he said.
Liverpool has 180 days to respond to INAI’s information requests and cooperate with the probe, Mendoza added.
The retailer, which operates more than 100 stores, reported its systems were breached Dec. 24, exposing an unspecified number of employee e-mail and customer files.
In a brief statement filed with the Bolsa Mexicana de Valores, Mexico’s stock market, the retailer called the event “a bribery attempt to damage our reputation” and of “low risk.” It added it was “taking measures to ensure customer data remain[s] protected by strengthening its systems, practices and procedures.”
Soon after Liverpool notified the BMV, INAI launched an investigation it is now expanding with the audits.
Privacy lawyers said the breach was likely significant and may have involved as many as 3.5 million store credit card customers.
“Their entire database was probably hacked because all servers are connected with each other,” said Mario Gomez, privacy officer at Mexico City Commerce, Tourism and Services Chamber Canaco.
Mexican hacking group SicKillers claimed responsibility, posting photos of Liverpool’s senior managers on tech gossip site FayerWayer.com and asking, “if they can’t take care of their private documents, do you think they can take care of yours…?”
The organization claimed it has had full access to Liverpool’s systems for six years, adding that they hope “to shed light on some company events, many of which they have [hidden].”
Some observers said the breach was part of a vendetta after two employee death scandals have tarnished the retailer’s reputation this year.
The cases involve Angélica Trinidad, who was murdered in the chain’s Perisur store in Mexico City in November but whose death Liverpool allegedly hid and manipulated to avoid losing business during the crucial “El Buen Fin” sales weekend. Mexican authorities are investigating the matter, which prompted women’s rights demonstrators to boycott the store, holding banners reading “Liverpool [Is] Part of Your Death” in a reversal of its key marketing slogan, “Liverpool Is Part of My Life” (“Liverpool es parte de Mi Vida“).
The death of an eight-month-old baby in its Querétaro shop also damaged its profile in February. Authorities are investigating employees for reportedly blocking paramedics’ immediate access. A day later, another employee tragically died of electrocution in its Perisur building’s attic.
Gomez said Liverpool has yet to notify all affected customers about the breach, and not just wealthy customers, as some critics claim it has, unleashing more criticism.
By informing the BMV, executives insist the firm met Mexican privacy law.
But “that is of course not the case,” Gomez charged. “The law says you have to notify all data owners, not just some, and you must do so immediately. They broke the law and should be punished.”
Liverpool did not return messages seeking comment.
Since the attack, Liverpool has reinforced its IT systems, largely due to European and U.S. stockholder complaints, Gomez said.
Privacy expert Joel Gomez said 70 percent of Mexican retailers remain vulnerable to data hacks with most lacking privacy officers. However, some are taking action, swapping external security companies for internal officers and introducing so-called white-screen and clean desktop software, he added.