E-commerce sales grew by nearly one-third in 2020, in large part due to the pandemic. Meanwhile, retail data breaches grew even more prevalent and costly. Retailers need to know not just the cost of a data breach, but the risks and challenges involved with one. This can help IT security professionals and business owners protect against attacks. It also helps to look at some of the more infamous data breaches of the past year. Be prepared by knowing what threats to protect against.

What Is a Retail Data Breach?

A retail data breach involves attackers stealing customer data. That can include credit card numbers, names, addresses and, in the case of e-commerce data breaches, even passwords. It can also involve attackers gaining access to company data or accounts, which increases the cost of a data breach.

There are several types of retail data breaches, including:

  • Skimming at the point of sale, where thieves steal credit card information and use it to make unauthorized purchases
  • Phishing, where threat actors social engineer information to obtain passwords or bank account numbers
  • Malware, or software that can steal or wipe data
  • Ransomware, or software that holds data hostage until the victim pays a fee.

Well-Known 2021 Data Breaches

A popular men’s clothing retailer, with both e-commerce and brick-and-mortar locations, suffered a devastating breach earlier this year, with customer data — including partial credit card information — stolen from millions of customers. The data was posted on a hacker forum after it was downloaded from the company’s backup cloud.

High-End Fashion Retailer Data Breach

Another high-end fashion retailer selling men’s, women’s and children’s clothing revealed a data breach in July. It included account numbers, debit and credit card numbers and other personal and financial information.

The retailer offered customers involved in the breach one year of free credit monitoring and identity theft protection services.

Big-Box Chain Store Data Breach

When many people think of shopping today, they think of big box stores. These chains face the same challenges as other retailers in protecting customer data. In spring 2021, one big-box store suffered a cloud-bucket misconfiguration. This lead to more than 300,000 customers having their data stolen.

The information exposed in the breach included names, phone numbers, addresses and the last four digits of credit and debit cards.

Children’s Clothing Retailer

Attackers stole personal and shipping information from more than 410,000 people in one June 2021 attack. Specifically, they struck online shoppers in a third-party data breach. Data included names, addresses, phone numbers, purchase details and more.

Grocery Store Chain

Several supermarket chains suffered data breaches in 2021. One in particular exposed cloud-based databases bearing customer information to the general public. Data may have included personal information, email addresses and passwords to loyalty club accounts. The company said the passwords were hashed and not visible in the data breach.

Auto Manufacturer and Dealer

Retail data breaches aren’t limited to places people may shop on a weekly basis. An auto manufacturer experienced a data breach in 2021 that affected 3.3 million car buyers and shoppers across the U.S. and Canada.

The breach affected the automaker’s website as well as some of its dealers, exposing consumer information that had been collected for sales and marketing between 2014 and 2019. Data exposed included driver’s license numbers for more than 90,000 people, which could open those customers to identity theft. A smaller number of customers had their social security or tax ID numbers stolen, along with their dates of birth.

However, 97% of those involved in the breach had only their contact information and vehicle data — including the Vehicle Identification Number, in some cases — taken.

How Much Does a Retail Data Breach Cost?

The good news is that, in spite of their prevalence, retail data breaches are not anywhere close to the most costly. The average cost of a data breach in retail in 2021 is $3.27 million. Retail ranks 15th on the list of most costly data breaches. However, the cost jumped steeply from 2020, when each breach cost an average of only $2.01 million, according to the 2021 Cost of a Data Breach Report. That represents a 62.7% increase, which was the fourth-highest increase, percentage-wise, out of the 17 industries analyzed in the report.

It’s important to remember that the costs of a data breach include not just money that may be stolen from the company or its customers, but also the costs of:

  • Compensating customers with credit monitoring and identity monitoring services or cash
  • Litigation if a class-action suit occurs
  • Fixing the breach and preventing future breaches.

Plus, there’s the high — and often unmeasurable — cost of lost consumer confidence that can damage your company’s reputation and result in lost sales.

The Cost of a Data Breach Report indicated that lost business held the lion’s share of data breach costs, representing 38% of the total costs of a data breach across industries. In a field like retail, that number may be higher than the average since a company’s reputation — and therefore, sales — relies heavily on keeping customer data safe.

What Are the Risks and Challenges of Data Security in the Retail Industry?

The massive spike in e-commerce sales in the past year created additional challenges for shopping websites to keep customer data safe. In addition, the retail industry faces many challenges in preventing data breaches.

First, stores must be vigilant about security across all fronts, from protecting data at the point of sale to protecting the servers where customer data is stored.

Store owners can mitigate risk by ensuring they use the latest in point of sale technology, including accepting EMV chip cards and mobile wallet payments. Companies should also deploy the latest tools online, including artificial intelligence and the zero trust model of IT security, to protect information at every level — from corporate headquarters to storefronts and, especially, on their e-commerce sites. That way, you can worry less about the cost of a data breach.

More from Data Protection

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…