Light Dark
August 31, 2022 By Mark Stone 3 min read
Data Protection
Retail

Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure.

The good news for retail is that the cost of a data breach in the sector remains low compared to many industries. However, this does not mean cybersecurity shouldn’t be a high priority. For retail, intangible costs like company reputation are often more important.

What is a retail data breach?

Retail data breaches result in attackers making off with customer data: credit card numbers, names, addresses and (in the case of e-commerce data breaches) even passwords. Retail data breaches also involve attackers gaining access to company data or accounts.

The methods attackers use to breach data in retail include:

  • Skimming credit card information at the point of sale
  • Sending phishing emails to social engineer information to obtain passwords or bank account numbers
  • Sending or injecting malware that can steal or wipe data
  • Using ransomware that holds data hostage until the victim pays a fee
  • While not a direct breach, attackers can also launch a denial of service (DOS) attack as a tactic to execute the breach.
Read the full CODB report

Well-known recent retail data breaches

In June 2021, Wegmans suffered a breach due to cloud misconfiguration. Although the company did not disclose the number of exposed customers, personal data compromised included customer names, home and email addresses, phone numbers, loyalty club numbers, birthdates and passwords to online accounts.

Fashion retailer Guess faced a ransomware attack in July 2021. Attackers breached an undisclosed number of customer records. Personal data affected included driver’s license numbers and Social Security numbers. The attackers may also have been able to access other personal financial data and passport numbers.

In November, Panasonic disclosed an attack that at first only contained business partner and proprietary data. In January 2022, it announced that attackers also accessed job candidate and intern data.

How much does a retail data breach cost?

As noted above, retail data breaches are far down the list of the most costly. According to the 2022 IBM Cost of a Data Breach Report, the average cost of a data breach in retail in 2022 is $3.28 million, a very modest increase from the $3.27 million per breach in 2021. However, retail moved up from 15th to 14th on the list of most costly data breaches per industry.

In the retail sector, data breach costs go beyond what might be lost or stolen from companies or customers.

Costs may also include:

  • Making good with customers in cash or credit and identity monitoring
  • Litigation in the event of a class-action lawsuit
  • Breach repairs and future breach prevention.

Don’t forget that for retail, damage caused by loss of consumer confidence can be very costly to a company’s good name and bottom line.

According to the report, the largest share of data breach costs in 2022 was detection and escalation, at $1.44 million. That’s an increase from $1.24 million in 2021, or 16.1% growth. These costs include tasks that enable a company to detect a breach. These costs include forensic and investigative work, assessment and audit services, crisis management and communications to executives and boards.

Prevention strategies

For retail even more than in other industries, the customer is paramount. Security workers in this field need to base their strategy upon a foundation of controlling what sensitive data is available to whom, the type of data and that it can be reached when needed.

Retailers must be vigilant about security across all fronts, from protecting data at the point of sale to safeguarding the servers where customer data is stored. An excellent strategy for this is adhering to good security hygiene like network segmentation, which splits networks into separate segments. For example, you’ll want to segment Internet of Things devices (more and more common in the retail sector) away from other devices or resources containing sensitive data. This also protects your network’s data from third-party vendors. These need access to specific devices but shouldn’t be able to access anything else. The 2014 Target breach was a classic example of the importance of third-party risk management.

Another strategy retailers can use to mitigate risk is to use the latest in point of sale tools. Accept EMV chip cards and mobile wallet payments.

Finally, retailers should consider adopting modern security tools like artificial intelligence (AI) and automation and move toward the zero trust model to protect information at every level, from corporate headquarters to storefronts and their e-commerce sites.

Why? These tools and technologies are clearly working. According to the 2022 report, breaches at organizations with fully deployed security AI and automation cost $3.05 million less than breaches at those without. This 65.2% difference in average breach cost represents the largest cost savings in the study.

For retailers without a data breach prevention strategy already in place, 2022 is a great year to start.

 |  |  |  |  |  |  | 
Mark Stone

More from Data Protection
November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

November 5, 2024

Skills shortage directly tied to financial loss in data breaches

2 min read - The cybersecurity skills gap continues to widen, with serious consequences for organizations worldwide. According to IBM's 2024 Cost Of A Data Breach Report, more than half of breached organizations now face severe security staffing shortages, a whopping 26.2% increase from the previous year.And that's expensive. This skills deficit adds an average of $1.76 million in additional breach costs.The shortage spans both technical cybersecurity skills and adjacent competencies. Cloud security, threat intelligence analysis and incident response capabilities are in high demand. Equally…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature