Attackers Targeting Retail Are Shopping for Low-Hanging Fruit

The end of the year is often a time of reflection. What went wrong? What went right? If you’re a retailer that experienced a security breach in 2016, you’re likely reflecting on what went wrong and seeking to identify the gaps in your security landscape. Why? Because breaches are costly.

In fact, the Ponemon Institute’s “2016 Cost of Data Breach Study: Global Analysis” revealed that financial damage to online retail is escalating. In 2015, the retail sector experienced a significant increase in the cost of stolen data, from $105 per record in 2014 to $165 in 2015. In 2016, that amount rose to $172 per record in retail, substantially higher than the cross-industry average of $158.

Security Trends in Retail

A new IBM report focusing on security trends in the retail industry highlighted the threats to retailers’ networks that drive many of the data breaches responsible for this financial damage. You may be surprised to learn that many successful attacks against retailers stem vulnerabilities characterized as low-hanging fruit.

The top two attack vectors observed across IBM Managed Security Services (MSS) networks, Shellshock and SQL injection, exploit unpatched vulnerabilities. Attackers are compromising retail networks where basic security measures — identify, protect, detect and recover — have not been performed.

pie chart of the most prevalent attack vectors in the retail industry.

Read the new X-Force Report: Security Trends in the Retail Industry

Protecting Crown Jewels While Optimizing Customer Experience

As the intersection of personalization, privacy and security grows ever more complex, the challenge for retailers to protect their consumers’ sensitive information from the standpoints of both privacy and security intensifies.

Attackers targeting the retail industry are less interested in taking down a site and more focused on obtaining valuable information such as credit card data. Even if businesses are collecting, storing and using information properly, they must monitor the types of attacks targeting their networks and seek ways to mitigate the exfiltration of their consumers’ data.

For advice on how to address these threats and more insights about online retail security drawn from the recent Black Friday and Cyber Monday weekend, download the full IBM report, “Security Trends in the Retail Industry: Attackers Are Shopping for Low-Hanging Fruit.”

Share this Article:
Michelle Alvarez

Threat Researcher and Editor, IBM Managed Security Services

Michelle Alvarez is a Threat Researcher and Editor for IBM's Managed Security Services; she brings more than 10 years of industry experience to her role. In this role she focuses communications efforts around threat research and mitigation. Michelle joined IBM through the Internet Security Services (ISS) acquisition, where she served as an Analyst on the X-Force Vulnerability Database Team.