E-commerce sales grew by nearly one-third in 2020, in large part due to the pandemic. Meanwhile, retail data breaches grew even more prevalent and costly. Retailers need to know not just the cost of a data breach, but the risks and challenges involved with one. This can help IT security professionals and business owners protect against attacks. It also helps to look at some of the more infamous data breaches of the past year. Be prepared by knowing what threats to protect against.

What Is a Retail Data Breach?

A retail data breach involves attackers stealing customer data. That can include credit card numbers, names, addresses and, in the case of e-commerce data breaches, even passwords. It can also involve attackers gaining access to company data or accounts, which increases the cost of a data breach.

There are several types of retail data breaches, including:

• Skimming at the point of sale, where thieves steal credit card information and use it to make unauthorized purchases
• Phishing, where threat actors social engineer information to obtain passwords or bank account numbers
• Malware, or software that can steal or wipe data
• Ransomware, or software that holds data hostage until the victim pays a fee.

Well-Known 2021 Data Breaches

A popular men’s clothing retailer, with both e-commerce and brick-and-mortar locations, suffered a devastating breach earlier this year, with customer data — including partial credit card information — stolen from millions of customers. The data was posted on a hacker forum after it was downloaded from the company’s backup cloud.

High-End Fashion Retailer Data Breach

Another high-end fashion retailer selling men’s, women’s and children’s clothing revealed a data breach in July. It included account numbers, debit and credit card numbers and other personal and financial information.

The retailer offered customers involved in the breach one year of free credit monitoring and identity theft protection services.

Big-Box Chain Store Data Breach

When many people think of shopping today, they think of big box stores. These chains face the same challenges as other retailers in protecting customer data. In spring 2021, one big-box store suffered a cloud-bucket misconfiguration. This lead to more than 300,000 customers having their data stolen.

The information exposed in the breach included names, phone numbers, addresses and the last four digits of credit and debit cards.

Children’s Clothing Retailer

Attackers stole personal and shipping information from more than 410,000 people in one June 2021 attack. Specifically, they struck online shoppers in a third-party data breach. Data included names, addresses, phone numbers, purchase details and more.

Grocery Store Chain

Several supermarket chains suffered data breaches in 2021. One in particular exposed cloud-based databases bearing customer information to the general public. Data may have included personal information, email addresses and passwords to loyalty club accounts. The company said the passwords were hashed and not visible in the data breach.

Auto Manufacturer and Dealer

Retail data breaches aren’t limited to places people may shop on a weekly basis. An auto manufacturer experienced a data breach in 2021 that affected 3.3 million car buyers and shoppers across the U.S. and Canada.

The breach affected the automaker’s website as well as some of its dealers, exposing consumer information that had been collected for sales and marketing between 2014 and 2019. Data exposed included driver’s license numbers for more than 90,000 people, which could open those customers to identity theft. A smaller number of customers had their social security or tax ID numbers stolen, along with their dates of birth.

However, 97% of those involved in the breach had only their contact information and vehicle data — including the Vehicle Identification Number, in some cases — taken.

How Much Does a Retail Data Breach Cost?

The good news is that, in spite of their prevalence, retail data breaches are not anywhere close to the most costly. The average cost of a data breach in retail in 2021 is $3.27 million. Retail ranks 15th on the list of most costly data breaches. However, the cost jumped steeply from 2020, when each breach cost an average of only $2.01 million, according to the 2021 Cost of a Data Breach Report. That represents a 62.7% increase, which was the fourth-highest increase, percentage-wise, out of the 17 industries analyzed in the report.

It’s important to remember that the costs of a data breach include not just money that may be stolen from the company or its customers, but also the costs of:

• Compensating customers with credit monitoring and identity monitoring services or cash
• Litigation if a class-action suit occurs
• Fixing the breach and preventing future breaches.

Plus, there’s the high — and often unmeasurable — cost of lost consumer confidence that can damage your company’s reputation and result in lost sales.

The Cost of a Data Breach Report indicated that lost business held the lion’s share of data breach costs, representing 38% of the total costs of a data breach across industries. In a field like retail, that number may be higher than the average since a company’s reputation — and therefore, sales — relies heavily on keeping customer data safe.

What Are the Risks and Challenges of Data Security in the Retail Industry?

The massive spike in e-commerce sales in the past year created additional challenges for shopping websites to keep customer data safe. In addition, the retail industry faces many challenges in preventing data breaches.

First, stores must be vigilant about security across all fronts, from protecting data at the point of sale to protecting the servers where customer data is stored.

Store owners can mitigate risk by ensuring they use the latest in point of sale technology, including accepting EMV chip cards and mobile wallet payments. Companies should also deploy the latest tools online, including artificial intelligence and the zero trust model of IT security, to protect information at every level — from corporate headquarters to storefronts and, especially, on their e-commerce sites. That way, you can worry less about the cost of a data breach.