Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure.
The good news for retail is that the cost of a data breach in the sector remains low compared to many industries. However, this does not mean cybersecurity shouldn’t be a high priority. For retail, intangible costs like company reputation are often more important.
What Is a Retail Data Breach?
Retail data breaches result in attackers making off with customer data: credit card numbers, names, addresses and (in the case of e-commerce data breaches) even passwords. Retail data breaches also involve attackers gaining access to company data or accounts.
The methods attackers use to breach data in retail include:
Read the full CODB report
- Skimming credit card information at the point of sale
- Sending phishing emails to social engineer information to obtain passwords or bank account numbers
- Sending or injecting malware that can steal or wipe data
- Using ransomware that holds data hostage until the victim pays a fee
- While not a direct breach, attackers can also launch a denial of service (DOS) attack as a tactic to execute the breach.
Well-Known Recent Retail Data Breaches
In June 2021, Wegmans suffered a breach due to cloud misconfiguration. Although the company did not disclose the number of exposed customers, personal data compromised included customer names, home and email addresses, phone numbers, loyalty club numbers, birthdates and passwords to online accounts.
Fashion retailer Guess faced a ransomware attack in July 2021. Attackers breached an undisclosed number of customer records. Personal data affected included driver’s license numbers and Social Security numbers. The attackers may also have been able to access other personal financial data and passport numbers.
In November, Panasonic disclosed an attack that at first only contained business partner and proprietary data. In January 2022, it announced that attackers also accessed job candidate and intern data.
How Much Does a Retail Data Breach Cost?
As noted above, retail data breaches are far down the list of the most costly. According to the 2022 IBM Cost of a Data Breach Report, the average cost of a data breach in retail in 2022 is $3.28 million, a very modest increase from the $3.27 million per breach in 2021. However, retail moved up from 15th to 14th on the list of most costly data breaches per industry.
In the retail sector, data breach costs go beyond what might be lost or stolen from companies or customers.
Costs may also include:
- Making good with customers in cash or credit and identity monitoring
- Litigation in the event of a class-action lawsuit
- Breach repairs and future breach prevention.
Don’t forget that for retail, damage caused by loss of consumer confidence can be very costly to a company’s good name and bottom line.
According to the report, the largest share of data breach costs in 2022 was detection and escalation, at $1.44 million. That’s an increase from $1.24 million in 2021, or 16.1% growth. These costs include tasks that enable a company to detect a breach. These costs include forensic and investigative work, assessment and audit services, crisis management and communications to executives and boards.
For retail even more than in other industries, the customer is paramount. Security workers in this field need to base their strategy upon a foundation of controlling what sensitive data is available to whom, the type of data and that it can be reached when needed.
Retailers must be vigilant about security across all fronts, from protecting data at the point of sale to safeguarding the servers where customer data is stored. An excellent strategy for this is adhering to good security hygiene like network segmentation, which splits networks into separate segments. For example, you’ll want to segment Internet of Things devices (more and more common in the retail sector) away from other devices or resources containing sensitive data. This also protects your network’s data from third-party vendors. These need access to specific devices but shouldn’t be able to access anything else. The 2014 Target breach was a classic example of the importance of third-party risk management.
Another strategy retailers can use to mitigate risk is to use the latest in point of sale tools. Accept EMV chip cards and mobile wallet payments.
Finally, retailers should consider adopting modern security tools like artificial intelligence (AI) and automation and move toward the zero trust model to protect information at every level, from corporate headquarters to storefronts and their e-commerce sites.
Why? These tools and technologies are clearly working. According to the 2022 report, breaches at organizations with fully deployed security AI and automation cost $3.05 million less than breaches at those without. This 65.2% difference in average breach cost represents the largest cost savings in the study.
For retailers without a data breach prevention strategy already in place, 2022 is a great year to start.