Tag Archives: retail

Top Breaches in Retail in 2015 -2016

This week, we will continue with the topic of data breaches in retail.

Study Findings

A study on data breaches in retail, conducted by Vormetric, revealed the following key findings:

  1. 93% retailers believe that their organization is susceptible to insider threats.
  2. 48% retailers have either had a data breach or did not meet compliance audit in the last one year.
  3. 77% retailers said that “diligently following up on compliance requirements and making implementation of those requirements mandatory” can easily thwart insider threats.

Examples

In order to emphasize on the vulnerability of retail to data loss, let us look at four examples where sensitive information was compromised because of a breach (caused by external and/or internal factors).

  1. Target – Although this incident impacted Target retail stores in November-December 2014, it is worth mentioning as it has been deemed as one of the most expensive breaches in the history of retail industry. Almost 70 million customers had their personal and payment card information stolen. The hackers had installed malware software on POS terminals. The breach cost Target more than US$ 3.6 billion.
  1. CVS/ Walgreens – July 2015 saw a credit card breach where CVS, Walgreens came into the grip of malicious hackers. The pharmacies had to halt their online photo service in the wake of credit card theft.
  1. CVS – In July 2015, a pharmacy technician passed about 100 customer records between May 2013 and April 2015 to her property manager, who in turn, used this unauthorized information to apply for loans and credit cards.
  1. Bed, Bath and Beyond – In September 2015, the retailer reported that an employee had stolen some customers’ credit card information with the intention to misuse it.

Reasons Why Retail is Different

There are many reasons that make retail different from other sectors, which also results in the need to implement a unique vertical-specific solution rather than a cookie-cutter solution.

  1. Volume of Credit Card Transactions

In retail, majority of payments are conducted using credit cards, making the sector highly vulnerable to breaches.

  1. High Employee Turnover

Retail has a very high employee turnover. Employees fall into various categories – part time, full time, seasonal – and keep on moving quickly between departments, locations and across other employers. This makes employee training and monitoring very challenging, resulting in higher risk of breaches by insiders intentionally or accidentally.

  1. Physical Security of Payment Endpoints

Access to payment endpoints is easy, whether it is POS at stores or gas pumps. There are devices available that can be used on these payment terminals to capture sensitive credit card data.

  1. Multiple Locations

Large retailers have stores across various locations. More the number of locations, higher is the cost of implementing security measures.

  1. Speed of Responsiveness

In retail, a key measure of customer satisfaction is speed of responsiveness. Retailers face a very tough competition and are always on their toes to provide a very fast and satisfying service. Any kind of online authentication can easily slow down the process, tempting customers to cross the bridge to other retailers.

  1. Working with Third Parties

Retailers work with a number of third parties. A lot of these third parties manage sensitive data after uploading it to their own network. This raises the risk of data breach.

Conclusion

It is essential that retailers be cautious and take proactive measures to safeguard sensitive customer data stored on their or third party networks. Loyal customer relationships are built on trust. Implementing best practices that enhance this trust will go a long way in customer satisfaction and retention.

Retail Data Breaches – Lessons Learnt


For the past couple of months we have been talking about data breaches across different sectors, their implications and best practices that can be implemented. In this blog, we will talk about retail.

Enhanced Digital Experience Drives Need for Enhanced Data Security

While the percentage of breaches in retail is low as compared to other sectors (as per Verizon, 1 in every 13 breaches is in retail), the cost of breach per record is very high. This is because a standalone breach in retail can account for thousands of accounts being comprised.

Retail is at the forefront of implementing customer-facing digital applications. As retailers create a seamless customer experience through an omni-channel strategy, the threat to data loss either because of employee error or malicious intent, or because of external factors such as hacker, malware etc. is also increasing. Another type of breach that retailers face is Denial of Service (DoS), which can heavily harm goodwill of the company. In this kind of breach, hackers overload the server and explicitly force the website to go down due to overloading.

While regulatory requirements have been set up to ensure organizations that process sensitive personal or financial information are in compliance, the threat from newer sources and methods is always there. According to IBM, the cost of breach per record in retail is US$ 165. Retailers not only have to pay a heavy price for these breaches in terms of penalties, but they also face the imminent threat of losing their loyal customers to competitors.

Best Practices in Retail for Proactive Data Loss Prevention

Zecurion recommends the following best practices that retailers should implement to thwart data loss threats from their endpoints, servers and networks:

  • Invest and install comprehensive data loss prevention solutions, developed from the ground up, rather than piecemeal solutions. The former provide more robust security features against internal and external threats of data loss
  • Involve end-users of technology in purchase decisions. Getting their feedback on issues they face helps identifying the right need and the right security solution that users are more willing to adopt
  • Educate the staff and conduct regular training sessions on data access policies. Make sure employees are aware of roles, restrictions and permissions assigned
  • Keep firewalls, anti-virus up to date. Make sure that there is no obsolete software running and all updates are current
  • Encryption should be the rule of thumb when exchanging any classified information. Two factor authentication comes very handy in high data volume environments
  • Secure the connection between networks and monitor endpoints regularly
  • Follow strict regulations and policies for Bring Your Own Devices (BYOD)
  • Generate awareness about POS RAM scrappers. These scrappers are used to steal data from infected POS machines. They can be easily installed remotely and the payment card data can then be reproduced within minutes, paving way for fraudulent transactions
  • Implement policies around safe removal of POS machines so no data can be misused
  • Set up regular checkup of POS machines to ensure there are no skimming devices that have been installed to get the payment card information
  • Implement and test a robust post-attack mitigation plan in case a breach does happen

It is worth mentioning here that the National Retail Federation has been actively campaigning for “Chip and Pin” cards. Payment cards have all the sensitive data stored in a microchip, with nothing embossed on the card. A “Chip and Pin” card will require a secret number to get approved instead of a signature. The requirement of having a pin number will aid in countering a lot of breaches, especially in case of stolen cards.

The “Chip and Pin” cards are in practice in other countries but are still not available in the US. While the initial set up cost for these kind of cards may be high, the security benefits offered will still outweigh the risk of a large data breach.