More Retail Security Breaches Expected During Holidays

Brook Zimmatore | November 21, 2014

Retailers unsurprisingly are on edge entering the holiday season after last year’s wave of massive data breaches. As stores like Neiman Marcus, Home Depot and Target stabilise for the holidays, experts say this is the season for more sophisticated attacks.

According to International Business Times, CEO of Dispersive Technologies Robert Twitchell said “It’s just a matter of when they’re going to get hacked, not if.”

“It would be a surprise if it doesn’t happen again,” added Boston Consulting Group’s John Rose.

This is the time of the year when consumers spend a lot, and due to this large surge in spending, cybercrime is lucrative. That’s bad news for shoppers and retailers, who are still trying to overcome the effects of last year’s data breaches.

Just before Christmas in 2013, Target saw credit and debit card information stolen from 40 million accounts, and contact information of 70 million shoppers, which went on to become the biggest data breach in the history of United States.

Neiman Marcus saw the information of its own shoppers stolen, announcing that between July and October last year the credit card details of 350,000 customers was breached. The retailer also revealed above 9,000 cards were charged fraudulently.

“The cyberattack community is equally aware of the importance of the holiday season, and they’ve been working on things for a while, so you’re going to see an intensity of effort,” stated Rose on what he is expecting to see from retailers in this year’s shopping season.

The Identify Theft Resource Center informed that 644 breaches have been reported so far this year, which is a 25.3 percent increase from the same period last year. The worst-hit include Home Depot, eBay, Goodwill, UPS, P.F., Dairy Queen, Chang’s and Orange Julius.

Sophisticated attacks on the horizon

The unfortunate news for shoppers and stores apart from expected cyber breach attacks is that cyber criminals are upping their game when it comes to the kind of attacks. According to Trend Micro’s recent data, the average price on the black market for debit and credit cards has decreased, which means hackers will be looking for new ways to attack consumers and gain more information.

The next big target could be mobile payments, and Trend Micro’s report predicted that data breaches will be hitting mobile devices carrying consumer data next year, and the companies that will store it. That said, financial information will continue to be the most sough-after data.

Robert Twitchell said the following in the other report:

“The attacks being done today are no longer like what they were five to 10 years ago,” he said. “We’re in a cyber war. Nation-states are involved, and a lot of the tools these nation-states are using are finding their way into criminal hands.”

The retailers suffer the most damage from these breaches, as they have to pay for fraud costs as part of their payment card interchange fees in advance. US retailers have also paid $6 billion to secure their payment acceptance systems in accordance with Payment Card Industry (PCI) rules they have to comply to. Also, they end up paying fines and fees when a breach occurs.

What to do in terms of security?

Retailers can beef up their security through the following measures:

1) P2pe encryption

Point to point encryption can be used to encrypt card data from the time it is swiped to the time it gets decrypted by a merchant acquiring processor or another central service designated by the retailer. Not every p2pe solution is created equal and it should be implemented properly for the most benefits.

2) Threat intelligence feed

Malware can go undetected despite sophistication of security. Solutions like Massive’s data breach notification system can provide retailers instant notification of compromised and infected POS terminals, along with profiles of vulnerable merchants. Such technology gathers data through raw data interception, so if the POS terminal is infected, the feed intercepts what consumer and financial information was extracted.

3) Rapid monitoring

Retailer can monitor network logs, such as from file integrity monitoring systems, as well as implement processes for logical and physical detection of USBs that introduce malware, along with sample store system memory for malware signs.

After last year’s wake up call, it’s time for retailers to be more ready in terms of security for this year’s shopping season.

CEO / Co-Founder
Brook Zimmatore is the Co-Founder & CEO at Massive.