Data Protection August 31, 2022
By Mark Stone 3 min read
Series: 2022 Cost of a Data Breach Report

Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure.

The good news for retail is that the cost of a data breach in the sector remains low compared to many industries. However, this does not mean cybersecurity shouldn’t be a high priority. For retail, intangible costs like company reputation are often more important.

What Is a Retail Data Breach?

Retail data breaches result in attackers making off with customer data: credit card numbers, names, addresses and (in the case of e-commerce data breaches) even passwords. Retail data breaches also involve attackers gaining access to company data or accounts. 

The methods attackers use to breach data in retail include: 

  • Skimming credit card information at the point of sale
  • Sending phishing emails to social engineer information to obtain passwords or bank account numbers
  • Sending or injecting malware that can steal or wipe data
  • Using ransomware that holds data hostage until the victim pays a fee
  • While not a direct breach, attackers can also launch a denial of service (DOS) attack as a tactic to execute the breach.
Read the full CODB report

Well-Known Recent Retail Data Breaches 

In June 2021, Wegmans suffered a breach due to cloud misconfiguration. Although the company did not disclose the number of exposed customers, personal data compromised included customer names, home and email addresses, phone numbers, loyalty club numbers, birthdates and passwords to online accounts.

Fashion retailer Guess faced a ransomware attack in July 2021. Attackers breached an undisclosed number of customer records. Personal data affected included driver’s license numbers and Social Security numbers. The attackers may also have been able to access other personal financial data and passport numbers.

In November, Panasonic disclosed an attack that at first only contained business partner and proprietary data. In January 2022, it announced that attackers also accessed job candidate and intern data.

How Much Does a Retail Data Breach Cost?

As noted above, retail data breaches are far down the list of the most costly. According to the 2022 IBM Cost of a Data Breach Report, the average cost of a data breach in retail in 2022 is $3.28 million, a very modest increase from the $3.27 million per breach in 2021. However, retail moved up from 15th to 14th on the list of most costly data breaches per industry.

In the retail sector, data breach costs go beyond what might be lost or stolen from companies or customers.

Costs may also include: 

  • Making good with customers in cash or credit and identity monitoring
  • Litigation in the event of a class-action lawsuit
  • Breach repairs and future breach prevention.

Don’t forget that for retail, damage caused by loss of consumer confidence can be very costly to a company’s good name and bottom line.

According to the report, the largest share of data breach costs in 2022 was detection and escalation, at $1.44 million. That’s an increase from $1.24 million in 2021, or 16.1% growth. These costs include tasks that enable a company to detect a breach. These costs include forensic and investigative work, assessment and audit services, crisis management and communications to executives and boards. 

Prevention Strategies 

For retail even more than in other industries, the customer is paramount. Security workers in this field need to base their strategy upon a foundation of controlling what sensitive data is available to whom, the type of data and that it can be reached when needed.

Retailers must be vigilant about security across all fronts, from protecting data at the point of sale to safeguarding the servers where customer data is stored. An excellent strategy for this is adhering to good security hygiene like network segmentation, which splits networks into separate segments. For example, you’ll want to segment Internet of Things devices (more and more common in the retail sector) away from other devices or resources containing sensitive data. This also protects your network’s data from third-party vendors. These need access to specific devices but shouldn’t be able to access anything else. The 2014 Target breach was a classic example of the importance of third-party risk management. 

Another strategy retailers can use to mitigate risk is to use the latest in point of sale tools. Accept EMV chip cards and mobile wallet payments. 

Finally, retailers should consider adopting modern security tools like artificial intelligence (AI) and automation and move toward the zero trust model to protect information at every level, from corporate headquarters to storefronts and their e-commerce sites. 

Why? These tools and technologies are clearly working. According to the 2022 report, breaches at organizations with fully deployed security AI and automation cost $3.05 million less than breaches at those without. This 65.2% difference in average breach cost represents the largest cost savings in the study.

For retailers without a data breach prevention strategy already in place, 2022 is a great year to start. 

 |  |  |  |  |  |  | 
Mark Stone

More from Data Protection
September 13, 2023

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…

August 30, 2023

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

August 28, 2023

Advanced analytics can help detect insider threats rapidly

2 min read - While external cyber threats capture headlines, the rise of insider threats from within an organization is a growing concern. In 2023, the average cost of a data breach caused by an insider reached $4.90 million, 9.6% higher than the global average data breach cost of $4.45 million. To effectively combat this danger, integrating advanced analytics into data security software has become a critical and proactive defense strategy. Understanding insider threats Insider threats come from users who abuse authorized access to…

August 22, 2023

One simple way to cut ransomware recovery costs in half

4 min read - Whichever way you look at the data, it is considerably cheaper to use backups to recover from a ransomware attack than to pay the ransom. The median recovery cost for those that use backups is half the cost incurred by those that paid the ransom, according to a recent study. Similarly, the mean recovery cost is almost $1 million lower for those that used backups. Despite this fact, the use of backups is actually falling. This was one of the…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature