August 31, 2022 By Mark Stone 3 min read

Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure.

The good news for retail is that the cost of a data breach in the sector remains low compared to many industries. However, this does not mean cybersecurity shouldn’t be a high priority. For retail, intangible costs like company reputation are often more important.

What is a retail data breach?

Retail data breaches result in attackers making off with customer data: credit card numbers, names, addresses and (in the case of e-commerce data breaches) even passwords. Retail data breaches also involve attackers gaining access to company data or accounts.

The methods attackers use to breach data in retail include:

  • Skimming credit card information at the point of sale
  • Sending phishing emails to social engineer information to obtain passwords or bank account numbers
  • Sending or injecting malware that can steal or wipe data
  • Using ransomware that holds data hostage until the victim pays a fee
  • While not a direct breach, attackers can also launch a denial of service (DOS) attack as a tactic to execute the breach.
Read the full CODB report

Well-known recent retail data breaches

In June 2021, Wegmans suffered a breach due to cloud misconfiguration. Although the company did not disclose the number of exposed customers, personal data compromised included customer names, home and email addresses, phone numbers, loyalty club numbers, birthdates and passwords to online accounts.

Fashion retailer Guess faced a ransomware attack in July 2021. Attackers breached an undisclosed number of customer records. Personal data affected included driver’s license numbers and Social Security numbers. The attackers may also have been able to access other personal financial data and passport numbers.

In November, Panasonic disclosed an attack that at first only contained business partner and proprietary data. In January 2022, it announced that attackers also accessed job candidate and intern data.

How much does a retail data breach cost?

As noted above, retail data breaches are far down the list of the most costly. According to the 2022 IBM Cost of a Data Breach Report, the average cost of a data breach in retail in 2022 is $3.28 million, a very modest increase from the $3.27 million per breach in 2021. However, retail moved up from 15th to 14th on the list of most costly data breaches per industry.

In the retail sector, data breach costs go beyond what might be lost or stolen from companies or customers.

Costs may also include:

  • Making good with customers in cash or credit and identity monitoring
  • Litigation in the event of a class-action lawsuit
  • Breach repairs and future breach prevention.

Don’t forget that for retail, damage caused by loss of consumer confidence can be very costly to a company’s good name and bottom line.

According to the report, the largest share of data breach costs in 2022 was detection and escalation, at $1.44 million. That’s an increase from $1.24 million in 2021, or 16.1% growth. These costs include tasks that enable a company to detect a breach. These costs include forensic and investigative work, assessment and audit services, crisis management and communications to executives and boards.

Prevention strategies

For retail even more than in other industries, the customer is paramount. Security workers in this field need to base their strategy upon a foundation of controlling what sensitive data is available to whom, the type of data and that it can be reached when needed.

Retailers must be vigilant about security across all fronts, from protecting data at the point of sale to safeguarding the servers where customer data is stored. An excellent strategy for this is adhering to good security hygiene like network segmentation, which splits networks into separate segments. For example, you’ll want to segment Internet of Things devices (more and more common in the retail sector) away from other devices or resources containing sensitive data. This also protects your network’s data from third-party vendors. These need access to specific devices but shouldn’t be able to access anything else. The 2014 Target breach was a classic example of the importance of third-party risk management.

Another strategy retailers can use to mitigate risk is to use the latest in point of sale tools. Accept EMV chip cards and mobile wallet payments.

Finally, retailers should consider adopting modern security tools like artificial intelligence (AI) and automation and move toward the zero trust model to protect information at every level, from corporate headquarters to storefronts and their e-commerce sites.

Why? These tools and technologies are clearly working. According to the 2022 report, breaches at organizations with fully deployed security AI and automation cost $3.05 million less than breaches at those without. This 65.2% difference in average breach cost represents the largest cost savings in the study.

For retailers without a data breach prevention strategy already in place, 2022 is a great year to start.

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today