What we’ve learned from recent retail breaches

What are the biggest retail cyber incidents that have happened in the past few years? It seems like we are hearing of retail attacks more often and the damage is widespread, causing operational damages, financial losses and hurting reputations.

Let’s take a look at some of the biggest attacks the past few years:

• TJX Companies – (2006-2007) 46 million records compromised
• T-Mobile – (2009) millions of records sold by a malicious insider
• Heartland Payment Systems – (2009) 130 million credit card accounts stolen
• Target – (2013) 110 million records compromised, infected payment card readers
• Home Depot – (2014) 256 million payment cards compromised, infected point-of-sale systems
• com – (2014) more than 2000 leaked usernames and passwords forcing retailer to suspend online shopping accounts
• e-Bay – (2014) credit card data was stolen from 145 million customer accounts

Lesson learned

The data breaches above all resulted in data loss leading to unforeseen reputational, financial and organizational damage. While we don’t like to see any company affected by cyber threats and attacks, companies who are willing to share information on these breaches will help increase public awareness of threats.

Below we have highlighted a few lessons that can be gleaned from some of the recent cyber attacks on the retail industry:

Human element

When taking a deeper look into many of retail’s biggest breaches, we see how the human element and error has affected the situation. Poor security practices, lack of security understanding and training, and poor handling and exposure of sensitive data are all issues that often go unnoticed by security teams and allow easy access to customer data. Security needs to be practiced throughout the entire organization by all levels of employees. Talking to your employees about security is an ongoing, necessary conversation to help prevent attacks from the inside and avoid human error.

With the eBay breach, 145 million user accounts were stolen, but no credit card information. Hackers were able to steal names, phone numbers, e-mail address and home addresses from users, which led to them stealing login credentials for some employees. This eBay scam was likely a phishing scam or social engineering attack that tricked employees into giving their logins. In this situation, the best preventative measures would have been to encrypt user data and educate employees on phishing scams.

Well-configured firewalls

Security experts say Home Depot was the victim of a spear-phishing attack—highly specific, targeted attack that makes its way into a system through e-mail and infects a computer with malware. In the case of the Home Depot attack, just one employee agreeing to install the malware could allow it to make a home and carry out further instructions, leading to the 256 million compromised payment accounts. In this case, if firewalls had been configured to block incoming and outgoing attacks, this breach may have been prevented.

While anti-virus or malware tools may not always have the strongest argument for protection, they still can prevent some forms of malware from being installed within your company. Anti-virus tools should be installed on every end-point system and should be regularly verified to ensure it is active and up-to-date.

Know the alarms and how to handle them

Some believe that Target was aware of attacks on their point-of-sale systems, which triggered alarms, but they failed to react properly, resulting in the massive breach and millions of compromised payment records. There are many vulnerabilities in a system, and notifications of these vulnerabilities must be handled timely and properly according to the level of threat.

Companies should create a list of threats and alerts within their system and determine how each one will be handled. For retail businesses, payment system alerts should be a top priority. Payment systems should be segregated from other networks to prevent the spread of an attack. Companies should also ensure that fraud prevention measures are in place and being monitored. Alerts on intrusion detection systems should also be addressed immediately—be aware of repeated attempts that display similar characteristics.

Cyber attacks on the retail industry are hard-hitting and continue to surface. The retail industry should be learning from past and present attacks to ensure the security of their own networks and systems. If IT and security teams are taking the steps beforehand, they are likely going to decrease the chances of their company being attacked.