Retail continues to be under attack. Threats are everywhere, lurking in point-of-sale terminals, insiders, supply chains and beyond. Retailers are a rich source of sensitive data that cyber criminals find tempting. No surprise then that there has been a spate of high-profile cyber attacks affecting retailers so far in 2023. The year started with JD Sports reporting in January that attackers had accessed the historic order information of up to 10 million customers. WH Smith did the same in March in relation to an unspecified number of its current and former employees.
These incidents point to the retail sector as continuing to be an attractive target for cyber criminals. The combination of payment card information and personal data remains a draw. These troves of data held by retailers can be used by bad actors looking to facilitate various types of financial fraud.
Indeed, trend statistics have in recent years consistently featured the retail sector as having one of the highest proportions of incidents reported to the data protection regulator. But whilst the prospect of a GDPR-sized fine for breaching the requirement to have appropriate security is enough to send a chill down any retailer’s spine, there is something far greater at stake – especially for retailers: their reputation and relationship with customers. These are hard won, and easily lost. Any data breach has the potential to put them on the line.
A recent data breach investigations report by Verizon found that phishing and ransomware – which is introduced by an attacker for a quick payout without even needing to take the data (though many often will do that as well in order later to extort their victims) – are key threats to the retail sector. As are stolen credentials that are fuelling automated and large-scale fraud in the sector through ‘credential stuffing’.
Credential stuffing is a type of cyber attack where valid usernames and password combinations for one website’s online login are obtained by attackers and then used across other websites to try to gain access to accounts. The credentials are typically sourced from data breaches at organisations and end up being traded by criminals on underground forums.
In recent years, the retail sector has been repeatedly targeted with these attacks, including against points-based loyalty schemes to steal accumulated points and successfully redeem their monetary value. They are effective because they take advantage of people’s tendency to reuse the same username and password combinations. Since the stolen credentials are legitimate, the unauthorised access to accounts is not the result of a retailer’s system being compromised.
Credential stuffing is why (amongst other protections, such as two-factor authentication) strong and separate passwords for accounts are recommended, as well as a password manager to help handle them. But even password managers are fallible. Users of such services provided by Norton LifeLock and LastPass learnt this to their detriment in recent months following incidents at those providers. Ironically, the Norton LifeLock incident was itself the result of a credential stuffing attack.
Given their frequency, the reality is that these days data breaches might be added as a certainty to the ‘death and taxes’ idiom. Hence commentators in the cyber community speaking of ‘when’, not ‘if’. That being so, organisations are now more often than not judged in the court of public opinion just as much by their response to a data breach as the fact that one happened in the first place. The effect of an attack on an unprepared business can be brutal, bringing trading to a grinding halt. The recovery effort can therefore be a matter of survival for those affected. In the case of ransomware attacks for example, that recovery process can take months.
Having a capability to detect security incidents is key, from the employee selling their employer’s sensitive data to the highest bidder, to the sophisticated attacker who maintains a foothold on a network for an extended period after gaining initial access, with a view to stealing secrets or mounting a debilitating ransomware attack. After promptly escalating incidents, investigating and responding to them through the implementation of (well-rehearsed) incident response plans will often involve external support. Just as the response will vary depending on the nature and severity of the incident, so will the relevant authorities victim organisations engage with: these might include the data protection regulator (if personal data are affected), as well as law enforcement and the NCSC who can also provide technical assistance.
An indicator of how much of a priority cyber security is for an organisation is how often senior management are provided with updates on it. A 2022 government survey found that in the retail sector at least 20% never update their senior managers on cyber security actions. Cyber security training and awareness-building for staff, which is a vital control given that they are at the front line, has also been notoriously bad for retail. But the report also found that there has been an improvement, with one in five firms now taking such initiatives as opposed to one in ten the previous year. So there is progress. But with the expansion of attack surfaces through retailers harnessing the latest data-fuelled technologies to help drive growth, more needs to be done to help secure them from the increased risk of cyber attacks.
Click here to download the article.