With Retail Digital Transformation and Highly Personalized Consumer Experiences, New Threats are Surfacing

14
March, 2023

At the turn of this century, the retail industry was one of the prime targets for cyber attackers in physical stores and online, even though e-commerce was still new. Criminal rings systematically attacked POS systems, for example, and stole credit card information.

The volume and velocity of those early attacks drove regulators to pass legislation, including PCI-DSS, which is now commonplace. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by banks and credit card issuers. The standard was created to control cardholder data better and reduce credit card fraud.

While credit card fraud continues today, often through direct attacks on consumers who hold those cards, the bigger cyber security issue for the retail industry today is the depth of information they collect, store, and monetize, making retailers once again the “dream date” of the “dark side.”

 

Sign up now for a free assessment of your retail cyber security posture.

 

The attacks today are highly sophisticated and used to exfiltrate massive amounts of data or are ransomware-based, with many of these attacks never reported, and many victims of these attacks willing to pay out millions to get their networks, applications, and systems back.

Attacks in-store can range from stealing merchandise to changing prices, and the threats in both online and in-store cases are often organized by employees who pose digital and physical challenges for retail brands.

Overcoming Security Threats: The Retail Security Stack

For all its many benefits, digital transformation is changing the way retailers address cyber risk. Retailers are investing in ensuring every transaction online, and every visit to every retail store is personalized and super convenient, and understand in doing so, they have more personal and sensitive information, and that their brand reputations could be harmed if they don’t put cybersecurity in place. By embracing retail DX to create modern customer experiences online and in stores, retailers are competitive and remain attractive to consumers. DX also improves how retailers operate across the entire supply chain and in creating hybrid shopping experiences (buy online, pick up in-store, for example).

Remember the Target attack? This retail giant paid an $18.5 million multistate settlement, the largest ever for a data breach leaving more than 41 million customer payment cards exposed in 2013.

Target is not alone, and the breaches keep coming, from a month-long attack on Guess, which suffered a ransomware attack that included the theft of customer data, and an attack on Forever 21 that occurred over a stunning seven-month period. After obtaining network access, the threat actors deployed malware to gather credit card data from the fashion retailer’s point-of-sale (POS) system. Forever 21 admitted to not previously encrypting some of its POS devices.

Under Armour need a different kind of digital armor to protect their customers’ user names, email addresses, and passwords for approximately were compromised when an unauthorized third party accessed the data in February 2018.

A malware attack against Hudson Bay Corporation retailers’ POS resulted in the theft of more than five million credit cards, including those issued by Saks Fifth Avenue; the attackers subsequently attempted to sell the stolen data via the dark web.

A misconfigured database with 204 gigabytes and 1.1 billion records, including customer email addresses, user IDs, and customer online search information gathered from CVS Health and CVS.com, was found publicly available and unsecured in 2021 by cybersecurity researchers, and using compromised employee credentials, attackers accessed approximately 145 million eBay accounts in 2014.

Complexity is growing in our increasingly connected world; it’s time to unify and harden enterprise infrastructure.

A 2022 survey revealed that “68% of retail respondents identified their Infrastructure-as-a-Service (IaaS) environments as multi-cloud, and the same percentage (68%) said they have over 25 Software-as-a-Service (SaaS) applications in use, leading to potential issues with the complexities of securing multiple cloud environments.”

Only 46% of respondents said they have complete knowledge or are very confident they know where their data is stored. 59% of retailers reported having five or more key management solutions, leading to increased vulnerabilities and cybersecurity challenges.

ConnX is proud to work with AT&T, bringing their comprehensive security-as-a-service offerings to our enterprise customers.

AT&T Cybersecurity provides advanced endpoint and network security services that scale as retailers expand their IT footprint with IoT technologies and provides cloud security solutions at every stage of the retailer’s cloud journey, from cloud security strategy and assessment services to threat detection and response for public cloud and SaaS environments.

Working in concert with AT&T, ConnX helps retailers to simplify and accelerate regulatory compliance efforts with services like PCI DSS assessmentsASV-approved vulnerability scanning, and threat detection and response, helping to address 40+ PCI DSS requirements; we integrate all these solutions and more into the ideal platform for the large and distributed retailer, with thousands of branches, generating massive amounts of sensitive data.

DDoS defense and application layer security services are also mission-critical. Along with our highest quality, AI SD-WAN managed service offering; we help retailers provide high availability and business continuity during a potential attack.

Contact us for a free assessment of your retail cyber security posture, and learn how we saved one mass retailer millions of dollars each year in the process.