RETAIL CYBERSECURITY

RETAIL CYBERSECURITY

ACID Technologies helps retailers protect themselves by detecting the first signs of an impending cyberattack – as early as in its planning stage, and providing real-time, detailed alerts that enable the targeted retailers to implement effective preventive measures

ACID Technologies provides retailers with 24/7/365 dark web monitoring services, while also continuously monitoring the deep web and multiple additional sources. When detecting a threat, ACID sends real-time, actionable alerts with all available information, to enable the targeted business to effectively respond to the threat, mitigate its harmful impact, and potentially foil it altogether.

 

Retail cybersecurity is increasingly essential

Where in the past crime in the retail industry involved the theft of merchandise and money, it now focuses on the theft of data, particularly credit card information that retailers hold in large quantities.

Trustwave reports that in addition to the theft of credit card data, cybercriminals also have back-office systems in their sights, citing payroll and HR for direct access to company financial accounts and broader identity theft operations.

Furthermore, mobile apps and cloud storage increase retailers’ web presence, providing additional opportunities for cybercriminals seeking sensitive data to steal and sell, or encrypt and use in ransomware attacks.

These attacks join insider threats such copying data to portable media, or exploitation of vulnerabilities in the retailers’ IT infrastructure. As some retailers’ infrastructures have similar characteristics, a successful attack on one can be leveraged to successfully attack others.

Deloitte identifies the following reasons behind cybercriminals’ increased attacks against the retailer sector:

  • Retailers possess large databases of credit card data.
  • They increasingly rely more on data-driven technologies, such as big data and sophisticated warehouse models, to improve efficiency and increase sales.
  • Many retailers are becoming active in the healthcare and pharmacy businesses, and therefore possess more sensitive data.
  • Buyers in developing countries are shifting from cash payments to electronic card payments.

Deloitte also identifies rising insider threats, due to:

  • High employee turnover rates, including seasonal employees.
  • Many stores and distribution centers.
  • Business outsourcing to third parties.

Some experts also identify social engineering as a contributing factor which can lead to successful cyberattacks against retailers.

These threats highlight the importance of a well-planned data access control policy, ensuring that access to data is authorized only to those requiring it to execute their tasks.

Retail cybersecurity is of particular importance in the holiday season

A particularly sensitive time of year for retailers is the holiday season (defined as October 1 to December 31), when sales skyrocket, and which cybercriminals often exploit.

The Holiday Season Cyber Threat Trends report issued in November 2022 by the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), examines the threat landscape facing the retail and hospitality sector during the holiday season.

The retailers shared that they were most worried about recurrent threats, with nearly 20% of those surveyed identifying phishing in particular as a threat not only in the holiday season, but year-round. However, of even greater concern was the effect of the hostile activity, with credential harvesting listed as the most shared threat among the retail members exchange – at a rate of 42% in 2020, and 37% in 2021.

The RH-ISAC Holiday Season Cyber Threat Trends report also indicated that fraud using loyalty cards, and even more so, gift cards, was a concern, as these allow the perpetrators to remain anonymous.

Examining changes between 2020 and 2021, the report highlighted how quickly the threat landscape of the retail industry can evolve, with reference to malware, bots and vulnerabilities: Some of the threats, such as QakBot, Emotet, Agent Tesla, and Dridex remain a constant worry, while others, such as Log4Shell, emerge quickly and predictably.

Attacks in the retail sector, regardless of their origin or type, can cause severe harm to companies. Successful attacks, such as when large amounts of data are compromised, gain widespread negative publicity and damage the brand. Sales decrease, in the case of publicly traded companies – share prices drop for at least several months, and the loss of reputation also affects customer loyalty. Furthermore, additional costs may be incurred, for example, covering credit monitoring to affected customers (in some cases – millions), free of charge.

An additional cost that retailers risk incurring may result from non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) standards issued by the PCI Security Standards Council (PCI SSC) to support safe payments worldwide. Retailers failing to adhere to these standards are at increased risk of suffering a successful cyberattack, but also risk fines from governments that require PCI DSS compliance.

Ransomware statistics demonstrating the need for retail cybersecurity

Verizon’s 2021 Data Breach Investigations Report is based on a survey of 435 IT decisionmakers in the retail industry, and focuses primarily on ransomware attacks. It identifies retail as the sector that suffered the most ransomware attacks in 2020 (with the same percentage of attacks in the education sector).

The Sophos report titled State of Ransomware in Retail 2021 stated that 44% of retailers suffered a ransomware attack in 2020, with their data encrypted in more than half the cases. The 34% who did not experience a ransomware attack in 2020 expected to experience one the following year.

The report reveals that 99% of the 165 incidents of data disclosure in the retail sector were driven by a financial motive, with payment data involved in many of the breaches, and personal data in 40% of them. The focus of the cybercriminals in 33% of the cases was credentials.

44% of retailers sustained a ransomware attack in 2020

(Sophos, 2021)

Only 9% of retailers who paid the ransom gained access to their encrypted data

(Sophos, 2021)

Retailers who paid ransom only gained access to 67% of their stolen data

(Verizon, 2021)

Rectifying the harm caused by a ransomware attack was $1.97M on average

(Verizon, 2021)

The retail sector is continuing its growth – in physical stores, as well as in online ones.

The National Retail Federation (NRF) has forecasted that the rate of increase in retail sales in 2024 will be between 2.5% and 3.5%, to between $5.23 trillion and $5.28 trillion. According to CapitalOne Shopping, the number of consumers / retail shoppers worldwide is more than 4.76 billion, and is projected to reach 5.6 billion by 2030.

Retailers, even the smaller ones, store valuable payment information and personally identifiable information (PII) of customers. In large retail chains, which have tens to hundreds of millions of customers, the amount of sensitive information is immense. It therefore comes as no surprise that 24% of cyber attacks are directed at retailers (Trustwave), with cybercriminals primarily interested in financial gains. The online stores operated by retailers greatly increase the risk.

The average cost of a data breach in the retail sector is estimated at $2.9 million (Trustwave). The severe penalties for noncompliance with data and privacy laws and regulations which retailers are required to obey must also be taken into account.

The damage caused to retailers as a result of a cyber attack is not measured in financial losses alone, but also in the impact on reputation, customer trust and loyalty, which are paramount to their success.

62% of consumers are not confident about the security of their data with retailers; 25% of consumers know that their data is not safe with retailers; 43% of responders reported having been a victim of a fraudulent charge from retailers; and 52% of responders who have been victims of fraud said that the incident negatively impacted their view of the retailer (Digital Commerce).

This stresses the importance of effective cybersecurity in the retail sector.

The main laws and regulations applicable to retailers serving customers in the USA and Europe are:

  • The European General Data Protection Regulation (GDPR), which governs the collection, storage and processing of data, and is considered by many as setting a global standard. In general terms, the GDPR deals with data protection, and is relevant to retailers in light of the vast amount of sensitive information they hold. One of its main principles is that personal data must be processed “lawfully, fairly, and transparently.” This means that retailers can collect such information only after having received the informed consent of the users, and also provide them with the option of requesting that their personal data which had been collected – be deleted upon request.

Noncompliance with the GDPR can result in devastating penalties that are potentially catastrophic to a retailer: Up to €20 million, or 4% of the global annual turnover – the higher of the two.

  • The California Consumer Privacy Act of 2018 (CCPA), which gives consumers more control over the personal information that businesses collect about them, and the CCPA regulations, which provide guidance on the law’s implementation. The law applies to any business that collects personal information from California residents, which has 100,000 or more customers and a minimum of $25 million in annual gross revenue. It includes:
  • Consumers’ right to know about the personal information a business collects about them and how it is used and shared
  • The right to delete personal information collected from them (with some exceptions)
  • The right to opt-out of the sale or sharing of their personal information, and
  • The right to non-discrimination for exercising their CCPA rights

A later amendment added new privacy protections, which came into effect on January 1, 2023, including:

  • The right to correct inaccurate personal information that a business has about consumers, and
  • The right to limit the use and disclosure of sensitive personal information collected about them.

Civil penalties of up to $7,500 can be imposed on businesses found to have intentionally violated the CCPA for each violation. The maximum fine for other violations is $2,500 per violation.

Some of the threats faced by retailers include:

  • Phishing and social engineering attacks – phishing attacks are becoming increasingly sophisticated, more personalized, and harder to identify by untrained persons. This becomes an even greater problem when retailers hire a large number of employees for the busy holiday season, for example. A new and concerning trend is vishing – or voice phishing, in which the perpetrators impersonate a member of the company using deep fake technology and trick them into disclosing sensitive information.
  • Ransomware – cybercriminals are increasingly likely to target retailers launching marketing campaigns offering discounts in order to attract a large number of customers, in anticipation of the holiday season, for example. At such times, the encryption of their data is particularly damaging to retailers, who will be more willing to pay the ransom to restore operation, rather than lose customers to competitors.
  • Exploitation of Internet of Things (IoT) vulnerabilities – IoT devices used by retailers, among them POS systems and smart shelves, leave them vulnerable to hacking if not properly protected.
  • Supply chain attacks – as retailers rely on external providers for a variety of services, security gaps in the providers’ systems also place the e-commerce business itself at risk.
  • Insider threats – authorized users who are in fact malicious actors. These can be, for example, employees who feel that they are being treated unfairly or have been unfairly terminated (and whose login credentials have not been deleted from the system). They therefore bear a grudge and are out to exact revenge and/or line their pockets.
  • In May 2024, the luxury retails Neiman Marcus was targeted in a cyber attack carried out by a hacker using the name “Sp1d3r”. In the statement issued by the company, it wrote: “In May 2024, Neiman Marcus Group (NMG) learned that an unauthorized third party gained access to a cloud database platform used by NMG. Based on our investigation, we determined that the unauthorized third party obtained certain personal information stored in the database platform. The types of personal information affected varied by individual, and included information such as names, contact information (e.g., email and postal addresses, and phone numbers), dates of birth, Neiman Marcus and Bergdorf Goodman gift card information (without gift card PINs), transaction data, partial credit card numbers (without expiration dates or CVVs), the last four digits of Social Security numbers, and employee identification numbers.” Troy Hunt, founder of “Have I Been Pwned”, analyzed the stolen data and claimed that more than 31 million customer email addresses were exposed, but the company itself claimed that attack affected only 64,472 customers.
  • In September 2024, a number of prominent French retailers were the victims of cyber attacks. These included Boulanger (electronic equipment and household appliances), Cultura (books, games, music, musical instruments, more), Truffaut (gardening supplies, products for pets and for the home), Pepe Jeans (clothing), and according to several media outlets, possibly also additional retailers. The attacks resulted in the theft of data. According to a statement issued by Boulanger, customer addresses were compromised, but not financial data. Cultura, which operates 110 stores in France, confirmed that data from 1.5 million of its customers, including names of customers and their order details, as well as their email addresses, street addresses, telephone numbers, email and postal addresses, were stolen, but not banking data. The perpetrator calling itself “horrormar44” claimed responsibility for the attacks.
  • In November 2024, Ahold Delhaize USA, the fourth largest grocery retail group in the USA and one of the largest in the world, selling to 63 million customers weekly, was targeted by cybercriminals. The attack impacted a number of its national chains, among them Stop & Shop, Hannaford and Food Lion. According to Cybernews, Ahold Delhaize uses an omnichannel customer-centric business model to integrate all of a brand’s channels – including physical stores, apps, websites, social media, and more – which could explain why all of its US supermarket chains have been experiencing IT difficulties since last week. Grocery shoppers reported empty shelves at numerous locations in the New England area; it is believed that this was the effect of the attack on truck shipments.

ACID helps retailers maintain business continuity, preserve their customers’ trust and build customer loyalty.
Clusters of robots are deployed and sophisticated algorithms implemented to continuously monitor the dark web and numerous additional sources in order to detect signs of impending attacks while still in their planning stage, attacks that are in progress, and leaked data indicating a breach.
Client-specific keywords are used, and language/s are chosen as relevant, to provide optimal results.
Once a threat is detected, ACID sends real-time alerts to the targeted retailer, enabling it to implement countermeasures to diminish the effects of the attack. In some cases, the real-time alerts and precise information enable the targeted business to thwart the attack before it is actually launched.