Retail Sector Cyber Attacks: Shopping for Security

Vast amounts of data and rapidly changing technology make the retail sector a significant target for cyber attacks. But what can be done to shore up security? Kate O’Flaherty investigates

The retail sector deals with vast amounts of data supported by rapidly changing technology, making it a prime target for cyber attacks. As digital transformation continues to accelerate across the industry, it’s no surprise that multiple retailers have been victims of high-profile breaches this year.

JD Sports was breached in January, impacting 10 million customers’ personal and financial information. A few months later, WH Smith suffered a cyber attack, this time affecting staff data. Then, in July, cosmetics giant Estee Lauder became the latest retailer to become a victim of a ransomware cyber assault reportedly perpetrated by the BlackCat and Clop gangs.

The consequences of retail sector cyber attacks can be enormous, including reputation damage and regulatory fines. No one knows this better than Dixons Carphone, which was hit with a maximum fine of £500,000 in 2020 for not protecting customer data after tills in its shops were compromised by a cyber attack that impacted 14 million people.

In 2016, TalkTalk was also served a massive fine of £400,000 for security failings that led to the 2015 TikTok cyber attack.

So why is the retail sector such a big target for attacks, and what can be done to shore up security?

Have you got a loyalty card?

Retailers are attractive targets. They collect large amounts of customer data and use technology to enable an omnichannel experience, including online, in-store and on the phone. Their use of third-parties increases the risk further.

Significant volumes of transactional and financial information about customers pass through retailers’ hands daily, says Will Richmond-Coggan, a partner in the data breach litigation team at law firm Freeths.

This data can give cyber criminals an instant fix, he says. “While other forms of sensitive information such as health data may ultimately be more lucrative to an attacker, there is an immediate value to getting their hands on customers’ credit card details and banking information.”

Technology in the retail sector is also advancing quickly. Many retailers are embracing data-driven technologies to increase efficiency, including hybrid and multi-cloud infrastructure, says Mark Wojtasiak, vice president of product strategy at security firm Vectra. “This offers adversaries more opportunities to infiltrate the network or cloud and deploy increasingly technical and sophisticated attacks,” he warns.

And beyond the retailers themselves, cyber criminals prey on supply chains, hoping these companies will offer a route into a big-name firm. Many retailers depend on third-parties to store customer data, says Robert Sugrue, product director of cybersecurity at managed service provider Six Degrees. “By compromising the weakest link in a supply chain, attackers can cause serious damage to retailers, disrupting operations and harming relationships.”

Richmond-Coggan cites the example of the 2013 Target breach, which saw attackers exploit a vulnerability in the systems of one of the retailer’s suppliers to gain access to a customer financial records database. “Over 40 million banking and credit card details were confirmed to have been stolen,” he laments. It was one of the US retail sector’s largest-ever attacks and certainly something you don’t want to happen to you.

According to Sugrue, attackers always like to follow money, and they do so by targeting point-of-sale (POS) systems, installing malware that steals credit card information when the system is used. In addition, adversaries often target e-commerce websites and the databases behind them, “searching for weaknesses they can exploit to steal personal data that can be sold on the dark web,” he warns.

Bharat Mistry, technical director at security firm Trend Micro, describes the additional threat posed by digital skimming, which can allow criminals to steal customer data. “This sees adversaries implant malicious code directly into website payment pages or via a compromised third-party,” he explains.

Valuable records, ripe for target

There’s a lot of it about, so it won’t be surprising that ransomware is being used in an increasing number of attacks on retailers. The data-locking malware can make its way into systems through phishing scams, often when an employee mistakenly clicks on a malicious link or downloads a malware-laden document.

“In these attacks, retail stores need to quickly decide whether to pay the ransom, based on how much they will lose if they can’t get their system back processing orders quickly,” says Dr. Michael Nizich, an adjunct associate professor of computer science and cybersecurity at New York Institute of Technology.

Complying with regulations like the EU General Data Protection Regulation (GDPR) and the UK’s upcoming Data Protection and Digital Information Bill can help. Still, the complexity of doing so also adds to the pressure.

Richmond-Coggan says the range of customer information retailers handle is becoming more extensive and sophisticated. “The history of customers’ engagement with the business is a valuable record. However, as well as being a ripe target for a breach, this rich data repository brings more mundane challenges around data protection compliance.”

Taking this into account, having a good understanding of the data that the business has and the uses it can be put to is essential, says Richmond-Coggan.

Basic but strong

The retail threat is real, so it’s essential to try and overcome complexity to ensure robust defences. This can be done by combining a solid strategy with security basics, including the right technology.

According to Sugrue, retailers can boost data protection through authenticated data access, encryption and solid data backup solutions.  “However, it is just as vital to ensure that vendors are doing the same all the way down the supply chain,” he warns.

To ensure supply chain security, retailers should implement stringent vetting processes and regularly assess the robustness of their cybersecurity measures, says Cian Heasley, security consultant at Adarma.

At the same time, says Heasley, retailers must educate their employees about best practices, including the importance of supply chain security. “Human error remains one of the most significant factors contributing to cyber incidents. By fostering a culture of security awareness and providing comprehensive training, retailers can empower their workforce to identify and respond effectively to potential threats.”

Most experts – at least those working in the security industry – also agree there needs to be a shift in perception among senior retail leaders. Many see cyber as a barrier rather than a function that can help to drive innovation and growth, says Mistry. “CISOs need to engage the board with business language and risk-based metrics to explain the impact of strategic choices and why security matters. The C-suite must understand that managing cyber risk isn’t a ‘nice to have’ – it’s an essential foundation for any business activity.”