E-commerce sales grew by nearly one-third in 2020, in large part due to the pandemic. Meanwhile, retail data breaches grew even more prevalent and costly. Retailers need to know not just the cost of a data breach, but the risks and challenges involved with one. This can help IT security professionals and business owners protect against attacks. It also helps to look at some of the more infamous data breaches of the past year. Be prepared by knowing what threats to protect against.

What Is a Retail Data Breach?

A retail data breach involves attackers stealing customer data. That can include credit card numbers, names, addresses and, in the case of e-commerce data breaches, even passwords. It can also involve attackers gaining access to company data or accounts, which increases the cost of a data breach.

There are several types of retail data breaches, including:

  • Skimming at the point of sale, where thieves steal credit card information and use it to make unauthorized purchases
  • Phishing, where threat actors social engineer information to obtain passwords or bank account numbers
  • Malware, or software that can steal or wipe data
  • Ransomware, or software that holds data hostage until the victim pays a fee.

Well-Known 2021 Data Breaches

A popular men’s clothing retailer, with both e-commerce and brick-and-mortar locations, suffered a devastating breach earlier this year, with customer data — including partial credit card information — stolen from millions of customers. The data was posted on a hacker forum after it was downloaded from the company’s backup cloud.

High-End Fashion Retailer Data Breach

Another high-end fashion retailer selling men’s, women’s and children’s clothing revealed a data breach in July. It included account numbers, debit and credit card numbers and other personal and financial information.

The retailer offered customers involved in the breach one year of free credit monitoring and identity theft protection services.

Big-Box Chain Store Data Breach

When many people think of shopping today, they think of big box stores. These chains face the same challenges as other retailers in protecting customer data. In spring 2021, one big-box store suffered a cloud-bucket misconfiguration. This lead to more than 300,000 customers having their data stolen.

The information exposed in the breach included names, phone numbers, addresses and the last four digits of credit and debit cards.

Children’s Clothing Retailer

Attackers stole personal and shipping information from more than 410,000 people in one June 2021 attack. Specifically, they struck online shoppers in a third-party data breach. Data included names, addresses, phone numbers, purchase details and more.

Grocery Store Chain

Several supermarket chains suffered data breaches in 2021. One in particular exposed cloud-based databases bearing customer information to the general public. Data may have included personal information, email addresses and passwords to loyalty club accounts. The company said the passwords were hashed and not visible in the data breach.

Auto Manufacturer and Dealer

Retail data breaches aren’t limited to places people may shop on a weekly basis. An auto manufacturer experienced a data breach in 2021 that affected 3.3 million car buyers and shoppers across the U.S. and Canada.

The breach affected the automaker’s website as well as some of its dealers, exposing consumer information that had been collected for sales and marketing between 2014 and 2019. Data exposed included driver’s license numbers for more than 90,000 people, which could open those customers to identity theft. A smaller number of customers had their social security or tax ID numbers stolen, along with their dates of birth.

However, 97% of those involved in the breach had only their contact information and vehicle data — including the Vehicle Identification Number, in some cases — taken.

How Much Does a Retail Data Breach Cost?

The good news is that, in spite of their prevalence, retail data breaches are not anywhere close to the most costly. The average cost of a data breach in retail in 2021 is $3.27 million. Retail ranks 15th on the list of most costly data breaches. However, the cost jumped steeply from 2020, when each breach cost an average of only $2.01 million, according to the 2021 Cost of a Data Breach Report. That represents a 62.7% increase, which was the fourth-highest increase, percentage-wise, out of the 17 industries analyzed in the report.

It’s important to remember that the costs of a data breach include not just money that may be stolen from the company or its customers, but also the costs of:

  • Compensating customers with credit monitoring and identity monitoring services or cash
  • Litigation if a class-action suit occurs
  • Fixing the breach and preventing future breaches.

Plus, there’s the high — and often unmeasurable — cost of lost consumer confidence that can damage your company’s reputation and result in lost sales.

The Cost of a Data Breach Report indicated that lost business held the lion’s share of data breach costs, representing 38% of the total costs of a data breach across industries. In a field like retail, that number may be higher than the average since a company’s reputation — and therefore, sales — relies heavily on keeping customer data safe.

What Are the Risks and Challenges of Data Security in the Retail Industry?

The massive spike in e-commerce sales in the past year created additional challenges for shopping websites to keep customer data safe. In addition, the retail industry faces many challenges in preventing data breaches.

First, stores must be vigilant about security across all fronts, from protecting data at the point of sale to protecting the servers where customer data is stored.

Store owners can mitigate risk by ensuring they use the latest in point of sale technology, including accepting EMV chip cards and mobile wallet payments. Companies should also deploy the latest tools online, including artificial intelligence and the zero trust model of IT security, to protect information at every level — from corporate headquarters to storefronts and, especially, on their e-commerce sites. That way, you can worry less about the cost of a data breach.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today