The retail sector is ubiquitous, and so are cyberattacks. Serving billions of consumers across the globe, retail businesses have a direct and immediate impact on our everyday lives. This means the cybersecurity risks that retailers face have direct consequences for all of us.
A treasure trove of personal data and financial information, the retail industry has become a favorite target of e-criminals. Post 2020, the retail industry has joined the ranks of healthcare and BFSI sectors by becoming one of the most cyber-attacked industries.
In light of the recent cyberattack on a British sportswear giant, let’s explore the current state of cybersecurity in the retail sector and understand what makes this sector so vulnerable.
Table of Contents
The JD Sports Cyberattack: What Happened?
JD Sports, the UK-based sportswear retailer, announced data theft relating to 10 million unique customers after a cyberattack left their systems defenseless. The announcement came on January 30 via official company sources. The cyberattack impacted several JD Sports brands, including JD, Blacks, Millets, MilletSport, Size?, and Scotts.
While the company is still investigating attack sources, they have successfully narrowed down its scope. Threat actors infiltrated an internal system that contained customer information on online orders from November 2018 to October 2020.
The leak contains customers’ names, phone numbers, billing, delivery, email addresses, order information, and payment cards’ last four digits.
As per The Guardian, JD Sports has taken “necessary immediate steps” to investigate and remediate the situation. They are actively consulting with cybersecurity experts, seeking awareness of potential frauds and phishing attacks resulting from the breach, and engaging with UK’s Information Commissioner’s Office (ICO) in response to the cyberattack.
Cybersecurity Trends in Retail
JD Sports is not a one-off case where cybercriminals targeted a retail business. There has been an insidious pattern of retail-oriented cyberattacks in the last two years. The criminals are increasingly motivated by post-pandemic consumer behavior and the influx of new technologies in the sector.
According to Verizon’s 2022 Data Breach Investigations Report, malware usage for “Capture app data” in retail is seven times higher than in other industries. It’s seen that attackers typically exploit a vulnerability, gain e-commerce server access by using stolen credentials, and steal customer data. They do all this while going undetected for several months at a time.
In 2021, the retail industry experienced the highest rate of Ransomware attacks, with 77% of retail businesses getting hit by Ransomware. Retailers saw a 75% increase in Ransomware attacks over the previous year. This trend continued in 2022 and will surely not diminish this year. According to the same Sophos research, 97% of businesses in retail have upgraded their cyber defenses in the last year.
The cybersecurity scenario for the retail sector is getting bleaker than ever. The industry also has one of the lowest ransom payout rates by cybercrime insurers. As it gets harder to secure coverage, retailers are constantly looking for optimized cybersecurity solutions.
Retail Sector Cybersecurity: What are the Risks?
Today, we don’t shop the way we used to. Shopper behavior has considerably changed in the last three years and will continue transforming as technology develops. While consumer convenience has skyrocketed, it has also opened the attack surface for bad actors.
Let’s explore the factors responsible for increasing industry-wide cybersecurity vulnerabilities.
Social Media Account Takeovers (ATO)
Developments in technology and social media have made shopping an effortless experience. At the same time, abandoning traditional shopping norms has led to significant security pitfalls. Social media accounts are an exact reflection of a person’s shopping habits.
Usually, there’s a link between a consumer’s social media account and their e-commerce accounts. It also creates a pathway to access Apple Pay or Google Pay information. This makes credential and data theft incredibly easy for e-criminals.
BOPIS (Buy Online, Pick up In-Store) is very popular among US shoppers, especially after 2020. Also called the click-and-collect model, BPOIS has grown by over 100% in the US and accounts for over 10% of all US e-commerce sales. Worryingly, ACI Worldwide’s research shows that 7% of all BOPIS transactions contain elements of fraud.
BOPIS fraud can be carried out in various ways, such as:
- Using stolen credit card credentials
- Last-minute cancellations while order pick-up is in-process
- Bypassing purchase controls with bots
As the BOPIS strategy becomes more popular, creative ways of carrying out fraud will indeed develop. BOPIS fraud can only be contained when merchants actively invest resources in improving fraud management systems.
Supply Chain Fraud
Manufacturers, wholesalers, and various other actors play a critical role in today’s supply chain. Most retailers have multiple vendors. In turn, those vendors also have vendors. This leads to a hidden web of potential data risk. A chain is only as strong as its weakest link.
Forrester’s recent report states that 60% of all retail security incidents stem from third-party vulnerabilities. Unbranded fulfillment services used by small retailers significantly contribute to data risk. An attack on a retailer’s supplier can compromise the retailer’s and its customers’ data even though there was no direct breach.
E-commerce websites are often the face of retailers. This also makes websites the most-attacked part of any e-commerce business. The pillars of authentication, data privacy, non-repudiation, availability, and compliance rest on a website’s health and non-compromise.
Some of the most common e-commerce threats involving websites are:
- SQL injections: They use malicious code to manipulate backend data and access sensitive information.
- Brute force attacks: They are automated attacks that use trial-and-error methodology to crack passwords. The target is usually admin panels and customer accounts.
- DoS & DDoS attacks: The retailer’s server is flooded by requests from untraceable IP addresses causing it to crash and hamper availability.
- E-skimming: Magecart attacks are a hacking technique used to steal data from payment processing pages.
Today’s consumers are spoilt for choice. If they have a terrible experience with one retailer’s app or website, ten other options are ready. Recovering from the reputational damage of a bad website can be fatal for businesses.
Retailers commonly use a mix of both old and new technologies. Unfortunately, this makes a hacker’s job easy. For example, many retailers use legacy point-of-sale (POS) systems in the front end, with cloud-based systems driving logistics, analysis, and data storage in the back end.
The industry’s need to provide convenience to the customer makes it hesitant to replace technology that customers and staff are comfortable with. On the other hand, businesses are also eager to adopt new technology that gives customers online access and ease of use.
Suggested Reading: What Is SIEM (Security Information & Event Management)? Why Is It Important?
While this combination of technology is good for the customer, it opens multiple potential attack vectors for cybercriminals.
Essential Retail Compliances
Compliance is an intimidating part of any business, especially international retail. Governments and consumers create significant pressure on firms to adhere to regulatory compliances. This applies even more to businesses that involve potentially hazardous products like electronics, children’s goods, or food.
Here are some of the essential compliance standards every business owner needs to know about:
1. PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) ensures the security of credit card data and encrypted transmission across multiple networks.
SOC (Service Organization Control) reports how a company manages personal and financial information. It enumerates the measures a business takes to protect sensitive data from unauthorized access.
3. ISO/IEC 27001
The International Organization for Standardization defines requirements for information security management systems (ISMS). It specifies the baselines for establishing, implementing, maintaining, and improving the systems.
GDPR (General Data Protection Regulation) is Europe’s famous customer data protection compliance that establishes guidelines for protection and control. It oversees how customer data is collected, stored, processed, and sold.
CCPA (California Consumer Privacy Act) focuses on customer data protection within the jurisdiction of California State. These regulations are necessary for online merchants operating in California.
The retail sector has several security challenges to overcome. Risks and attack vectors are rapidly evolving while competitors keep multiplying. The industry is experiencing a wave of new technology and transformative consumer behavior. These factors have created a perfect storm of cybersecurity vulnerabilities in retail businesses.
The sure-shot way of succeeding as a business without falling victim to hackers is to ensure all essential compliances are met and technological loopholes are covered. But it’s difficult for busy enterprises to prioritize cybersecurity when all their efforts focus on customer acquisition and satisfaction.
So, What’s the Way Out?
Managed Security Service Providers. Outsourced security experts, like ACE Managed Security, know what needs to be done to protect your retail business from a crippling cyberattack. They ensure a robust security posture with reduced vulnerabilities – without hampering daily business operations and customer ease.
Want to know how? Book a security consultation with ACE experts today and see for yourself!