Retailers & PII, Oh My!

The holidays are often thought of as the season for giving. But in the retail industry, it is also a season of cyberattacks, fraud, and identity theft. In the world of cybercrime, the spirit of giving is replaced by the spirit of scheming, and threat actors are hard at work.  

Retailers must be extra diligent in protecting the precious personally identified information (PII) of customers that they collect and store. 

Prevalence of cyberattacks in retail 

According to Threatmetrix’s Q4 2017 Cybercrime Report, the retail industry experienced an increase in attacks during the final three months of the year. During the quarter, attacks on their ecommerce customers spiked with nearly 193 million rejected transactions – a 92% increase over the previous quarter, and a 173% increase over the previous year.  

While organizations should not wait until the holidays to focus on security, the rise in attacker activity at the end of the year spotlights the pressure retailers are under to protect customer data 

In the 2018 Thales Data Threat Report, Retail Edition, researchers reported that among U.S. retail respondents, 75% had experienced a breach in the past, and 50% said they had been breached in the past year. U.S. retailers were also found to be more likely to store sensitive data in the cloud, but only 26% reported implementing encryption. Failing to properly protect data and securely configure workloads in the cloud can lead to both data breaches and unintentional leaks.   

During this time of year, attackers will often try to cast as wide a net as they can, and consumers can expect to be hit with phishing attacks designed to steal their credentials for sites as well as emails using holiday-shopping themed lures to entice them to download malware. Less wary shoppers may be tempted to browse sites they don’t know and should not trust. For businesses, cross-site scripting attacks that allow a cybercriminal to insert malicious code onto their website not only threaten customer data but also their reputation. With the average dwell time of attacks standing at 100 days, the groundwork for these kinds of attacks may already have been laid by the time the holidays arrive. By staying quiet, sophisticated and financially-motivated attackers can put themselves in position to reap the benefits of eager shoppers spiking the web traffic of retailers.  

Security considerations 

More than anything else, the holidays are a test of how strong a retailer’s security posture truly is. Knowing what potential weak spots exist is critical for retailers this time of year. That process includes having an understanding of baseline behavior and web traffic. Is there an unexpected rise in requests to a particular server? Should this particular system be communicating with point-of-sale devices (PoS)? This information can help security teams identify malicious behavior. 

Strong application monitoring and access controls will go a long way. Once you have those controls in place, any abnormal or unauthorized activity will generate a red flag. Without those controls, activity that should trigger alerts will be missed, and data will probably already be stolen by the time businesses notice the threat. This includes being vigilant about access by contractors and third-party partners who may interact with the network. 

In addition — and this cannot be stressed enough — basic security and compliance hygiene still apply. That includes ensuring that all systems are up-to-date with the latest security patches, and that customer-facing websites are checked for vulnerabilities. Any new widgets or applications being rolled out during the holiday season should be subjected to rigorous code review.  

In some of the recent injection attacks Armor has seen, attackers have loaded malicious code that targets the victim’s web browser as opposed to the web server. This could happen any number of ways, from a cross-site scripting attack to a vulnerable third-party library component getting compromised to files getting changed after a server was hacked. Monitoring the content of their web pages as well as implementing proactive controls, such as Content Security Policy, can ensure businesses are alerted when an unauthorized change occurs and help prevent or even eliminate XSS vectors. 

PoS systems remain a critical target for attackers, as they interact with credit card data. While PoS security is covered by compliance mandates, here are a few items to keep in mind: 

  • Use encryption to protect data on PoS systems 
  • Test for vulnerabilities and monitor for unauthorized activity 
  • Segment all networks that use PoS systems 
  • Protect access with complex passwords 

The end of the year may be an optimal time for attackers, but organizations that have focused on security all year long will be best-equipped in protecting themselves and customers’ PII.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals