October 7, 2014 By Rick M Robinson 3 min read

If you want to make retail executives break out in cold sweats, just whisper “IT security breach” in their ear. The recently revealed hacking strike against Home Depot, on the heels of last year’s breach at Target, has revealed once again the risks that retail breaches pose to victimized companies. On top of their direct losses, they get the public blame, paying a price with both their customers and the financial markets.

Going After Customers

Theft has always been a challenge for retailers, but before the computer era, the thieves — from shoplifters to truck hijackers — were usually aiming to steal merchandise. In the age of the Internet, however, retailers’ most valuable and vulnerable asset has turned out to be their customers — specifically, those customers’ credit card accounts.

For cyberthieves, consumer credit card information is better than gold because it can be transmitted electronically and anonymously. Because consumer credit card transactions need to be fast and convenient, the cyberthieves can move quickly to skim cash out of the compromised accounts. With tens of millions of accounts compromised, the take adds up quickly.

It should come as no surprise, then, that the following top retailers have loomed large among the all-time largest hacks, as reported by Paul Ausick at 24/7 Wall St.:

5. Target

This big-box retailer received an unwelcome present last holiday season when it reported the theft of 40 million credit card accounts. In all, 70 million customers had at least some of their information compromised. On top of the $240 million spent to replace customers’ cards, both sales and the company’s stock price were driven down by the resulting public fallout.

4. Home Depot

Fellow big-box retailer Home Depot has become the newest inductee into the top 5 after reporting that it had been breached for 56 million credit card accounts. As John Zorabedian reports at Naked Security, losses are currently pegged at $62 million. However, the dust from this attack is only beginning to settle, and that figure is likely to rise.

3. TJX

It was back in the Bronze Age of criminal hacking, in 2005, that TJX Companies, the parent of the Marshalls and T.J.Maxx chains, got hit for 94 million accounts. The breach was not discovered until the next year, and Visa reported fraudulent transactions on those accounts in 13 different countries. A cybercriminal named Albert Gonzalez, called “Soupnazi,” is now serving 20 years for the crime.

2. Heartland Payment Systems

The payment processor for a host of retail businesses had no fewer than 130 million credit card accounts stolen in 2009, in a hacking operation for which four Russians and a Ukrainian were ultimately indicted. Heartland was, in fact, only the single largest victim in this, regarded as the biggest credit card hack of all time. The team’s other retail victims included JCPenney and 7-Eleven.

1. eBay

Online auctioneer eBay is technically a broker between merchants and customers, not a retail outlet in its own right, but it is certainly in the retail sector, where it has one of the world’s best-known brands. Last year, it was taken for 145 million customer accounts, currently the largest known haul of credit card data from a single targeted victim.

Fighting Back Against Retail Breaches

Retailers clearly have their work cut out for them in protecting their customers and themselves from payment card hacks. Three of the five largest attacks took place last year and this year — and that is just known attacks. Who knows what consumer information is being stolen as you read this?

The good news, oddly enough, is that all of these spectacular retail breaches involved security errors on the part of the victims. Measures that could have been taken were not put in place, and known vulnerabilities were left unprotected. All too often, the victims were slow to respond when they first detected a potential breach.

Beating up on the retail victims accomplishes nothing, but we can learn from their mistakes. We now know that sophisticated cyberthieves are after our customers’ payment card information. Taking effective measures to stop them is up to us.

More from Retail

5 ways to improve holiday retail and wholesale cybersecurity

4 min read - It’s the most wonderful time of the year for retailers and wholesalers since the holidays help boost year-end profits. The National Retail Federation (NRF) predicts 2022 holiday sales will come in 6% to 8% higher than in 2021. But rising profits that come at the cost of reduced cybersecurity can cost companies in the long run when you consider the rising size and costs of data breaches. The risk of data breaches and other cyber crimes can make this shopping…

Cost of a data breach: Retail costs, risks and prevention strategies

3 min read - Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure. The good news for retail is that the cost of a data breach in the sector remains low compared to…

Lessons learned by 2022 cyberattacks: X-Force Threat Intelligence Report

3 min read - Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today