In the middle of last November came the news that yet another retailer had fallen foul to a security breach. This time is was youth fashion favourite Forever 21 which suffered unauthorised access to data from payment cards used at some of its stores.
This is far from a rare event in retailing these days. Retailers hold a lot of information about their customers so are a prime target for cybercriminals. But what are the threats to retailers and what steps can they take to combat these problems?
The size of the problem
Attacks on retailers are up by 30% year-on-year according to PwC. Only 58% of retailers have an overall security strategy. The same report revealed the retail and consumer sector suffered on average over 4,000 security incidents in 12 months, with 16% of these resulting in losses of more than $1 million.
According to the British Retail Consortium’s own Retail Crime Survey, around 53% of fraud reported in the retail space is cyber-fraud, equating to around £100 million in costs each year. Hacking and data breaches accounted for around 5% of the total, around £36 million.
Alison Wiltshire, global practice lead of retail and consumer goods at BT Global Services, says that with some retailers looking to secure 20% of their year’s revenue on Black Friday, pressure can sometimes result in corners being cut.
“Rather than lose business to long queuing times, till workers often prioritise operational efficiency rather than retail protocol, serving many people from the same account rather than logging in and out,” she says.
The main threats
Andy Baxter, managing director of internet retailer Internet Gardener says one of the main cybersecurity threats to his business – and one that will be an ongoing trend for 2018 – is identity theft through phishing and pharming scams, often leading to internet payment fraud.
“Fraudsters target retailers to gain profitable personal information such as names, emails, bank account and card information,” he explains.
Baxter says this trend is not only getting bigger, but it's also evolving: “Fraud today is no longer exclusive to stealing details, with online criminals becoming increasingly more sophisticated. This includes using malware, affiliate fraud and pagejacking, to name just a few.”
Tony Smith, sales director – EMEA, PCI Pal, says increasingly, retailers are being subjected to DDoS attacks, which can bring their website down and mean they lose out on sales while they fix the issue. “However, of more concern are financially-motivated attacks, which result in a retailer’s data being stolen,” he says.
He says that retailers deal with credit and debit card details (rather than bank account details), alongside addresses and login information if they’re operating an online business. “If this falls into the wrong hands, it has the potential to be traded in online marketplaces to other hackers that can use the details to create clone cards, perform fraud, launch phishing attacks on those whose details were stolen and much more, with a potentially damaging impact,” he adds.
Dealing with a hack and guarding against the next one
Baxter says a simple step retailers can make is encouraging new customers to create an account on the site which helps to decrease the likelihood of a fraud attack.
“If a retailer was to become a victim of a cybersecurity breach, it is integral to alert users as quickly as possible. Even if the breach may be minimal, keeping it under wraps is not beneficial for anyone. Trust may be temporarily affected, but in the long run, if a vast amount of customer data was fraudulently captured, the trust would be damaged indefinitely,” says Baxter.
Smith says that if an attack that resulted in the loss of data, the first step is to advise the ICO of the suspected breach, before working out how much data was stolen and what details were taken. “They then need to communicate this to the customers affected,” he says. “Finally, they should perform a compete audit of their processes and systems to ensure it cannot happen again.”
Future threats
In the future, other threats can come from the growing popularity in the Internet of Things. Smith says that IoT is increasingly being used in retail, whether that’s smart shelving, robot shelf stackers and other sensors to help keep on top of stock and inventory.
“This means there’s more to attack in a retail environment and more ways for hackers to break into the network, where data resides. Ransomware is rising across the board, not just limited to retail. It can mean a retailer could lose all the data it holds as it’s scrambled by the hacker,” he adds.