As the world of retail moved online during the pandemic, so too did the thieves. These cybercrooks are hunting for customer data – and lots of it. Retail Week examines the increased volume of cyberattacks against retailers and how companies can protect themselves
- Reputational damage is a huge risk for retailers who experience a cyber attack
- Education for employees is the essential first step in protecting an organisation
- The rapid pace of digital transformation may have made retailers more vulnerable
- The number of attacks is expected to increase as online penetration grows
“The reality is that virtually every business is being attacked all the time in some way.” The words of Fenwick chief executive John Edgar throw into stark relief the frightening scale of the online threat now faced by the UK’s biggest retailers.
Whether such threats come “at an individual level with spurious emails, or at a much bigger, more sinister corporate level,” Edgar and his peers must ensure their businesses are more prepared than ever to identify and nullify cyber attacks.
In Fenwick’s latest full-year results, unveiled in September, the department store chain highlighted an increased investment in its IT and cybersecurity infrastructure due to “frequent malware attacks”.
“It’s just part of life, this new technology,” Edgar says. “It’s a bit like putting security guards in your store - you’ve just got to do it as part of the business.”
The data backs up his words of warning. According to computer security software company McAfee, 57% of all UK businesses faced increased cyber threats during the coronavirus pandemic.
A report from security software and hardware firm Sophos revealed that retail and education were targeted by ransomware attacks more than any other industry during 2020, with 44% of all organisations worldwide impacted.
And according to cyber threat intelligence platform RiskIQ, £27,262.93 is lost to online payment fraud every single minute on the internet across the globe.
The battle for customer data
The growing volumes of customer data, including payment information, now stored on retailers’ servers following a surge in online shopping during the covid crisis, has placed them firmly on the hit list of cybercriminals - and even the biggest and most advanced online operators are not safe.
Tesco was forced to shut down both its grocery ordering website and smartphone app for more than 24 hours in October following an attempted hack, before publicly reassuring customers that their data hadn’t been compromised.
Yet such attacks on British businesses are just the tip of a growing global iceberg. In September, American department store chain Neiman Marcus informed 4.6 million customers that their personal information, including credit card numbers, may have been accessed in a May 2020 data breach.
Italian menswear brand Boggi Milano was targeted by hacker group Ragnarok in the spring, in a ransomware attack that resulted in Ragnarok stealing 40GB of corporate data. Earlier in November, German electricals giant MediaMarktSaturn suffered a similar attack, encrypting 3,100 servers and disrupting store operations across the Netherlands and its homeland.
Heading into the crucial Black Friday and Christmas trading periods, fears are mounting that retailers could be at greater risk from cybercriminals than ever before.
“We’re approaching the festive season, which is a peak season for the retail sector. It’s not only a stress test on the current systems you have, but it might also make you a lucrative target for cyber targets,” McAfee Enterprise principal engineer and head of cyber investigations John Fokker says.
IMRG strategy and insight director Andy Mulcahy agrees: “Criminals chase where the activity is. If you’ve got more activity happening online, logic dictates that criminal activity will follow.”
Cybercriminals preying on retailers are hoping to take advantage of the speed at which many were forced to increase their online operations during the height of the Covid-19 crisis. Businesses across the sector moved online, began to offer new solutions such as click and collect, or rapidly increased ecommerce capacity when social distancing restrictions were enforced in early 2020.
“What the pandemic did was it forced digital transformation to happen quickly,” Mulcahy explains. “With that, it brings certain risks. It does logically lead to the possibility of having a few more gaps in what you’re doing. These gaps then render a retail company more open to a potential cyber attack.”
Forms of attack
But it’s not just the retailers themselves that are under siege - hacking groups are also targeting entire supply chains, creating chaos for swathes of connected businesses.
In July, for instance, hackers compromised IT software supplier Kaseya, in a ransomware attack that spread to both its clients and service providers - and in turn, the businesses supported by those providers.
In total, more than 1,000 companies were estimated to have been impacted. Among the long list of compromised companies was Swedish supermarket Coop, which was forced to shut all but five of its 800 stores after its cash register and self-service checkout systems failed in the aftermath of the attack.
Oxford University professor of cybersecurity Ciaran Martin later described it as “one of the largest supply chain attacks to date”.
Ransomware forms part of many attacks, leaving those impacted in a catch-22. Normal operations cannot resume due to the malware encrypting files on a device or server, yet decryption is usually only a possibility if impacted businesses pay a ransom, now typically requested in cryptocurrency.
Other forms of attack include credential stuffing – using stolen login credentials to gain access to a user’s account – and a distributed denial-of-service attack (DDoS) - disrupting the flow of normal traffic to a server or network by overwhelming it with traffic from multiple sources, thus preventing regular users from accessing the site.
The pandemic has also driven a rise in e-skimming attacks, whereby hackers inject malicious code into payment pages, and siphon off payment information from customers as they make a purchase.
‘Hacking ourselves’
For those affected by a cyberattack, the impact reaches far beyond the initial disruption and lost sales. “It’s not so much the immediate hit - there’s the loss of earnings but also the reputational damage. In some ways, the reputational damage is the worst impact,” Mulcahy suggests.
Headlines in the press and social media posts about the incident linger long after a website is back up and running or customers have been contacted - coverage that could impact consumers’ trust in a brand if they believe their personal data could be at risk.
One industry source warns: “Reputational damage is the biggest potential risk at the moment. You’ve got potential fines [for data breaches] but you stand to lose a lot more in reputational risk.”
With longer-term consumer trust and loyalty at stake, dedicated cybersecurity teams are now deemed essential, with investment in security technology growing at pace as retailers attempt to arm themselves with the best possible tools to fend off malware attacks.
Tash Norris, head of security at online cards and gifts specialist Moonpig, says her team models potential cyber threats by “hacking ourselves”. The strategy allows the retailer to identify flaws in its own systems that would make it vulnerable to cyber attacks, before creating solutions to mitigate those potential risks.
“The whole idea is to test the things that we are building - it’s almost like they are a muscle and we are trying to exercise it,” explains Norris. “You bring the engineers on the journey, you show them how you think as an attacker and get them to think about all of the things that can go wrong with the [products] they are building.
“We regularly hack ourselves, we do it in a safe way in a development environment. We don’t do it against customer data.”
Power of education
However, the most important weapon in the battle against cybercrime is ongoing education. To avoid human error, such as clicking errant links, companies need to provide employees with regular training.
There must be clear protocols in place for employees and customers to alert the company once they realise that they have inadvertently made an error by clicking on a malicious link. Employers must also set clear boundaries governing who has access to hordes of coveted customer data in the first place.
Norris explains that as well as safeguarding customer data across all of Moonpig’s platforms, a key part of her role is engaging with employees and “helping them to understand what cybersecurity is.”
“We spend a lot of time helping our employees outside the workplace as well, understanding the impact of their social media profiles or IoT [internet of things] devices in their house,” Norris says. “I found that helps to bring a little bit more awareness and integrity to some of the things we do […] to make it feel like we are not just protecting Moonpig, but protecting you as an individual as well.”
Moonpig hosts weekly drop-in virtual calls where the cybersecurity team discusses an incident that highlights a particular theme, such as the perils of default passwords, and offers the chance for members of the team to learn more.
Just last week, a Wired investigation revealed that employees in Amazon’s online retail division had undue access to swathes of consumer data, highlighting that low-level employees could discover celebrity purchases and sabotage some businesses after accepting bribes from others. Amazon did not know whether millions of credit card details had also been accessed by employees.
Such revelations are even more startling when you consider that, just last month, the etail behemoth made the cybersecurity training resources used by its own employees available to other companies and individuals globally free of charge in order to support cybersecurity education.
Peak threat
Ahead of the crucial Black Friday and Christmas trading period, the rise in cyberattacks shows no sign of slowing as online penetration grows. Three-quarters of retailers believe that the number of cyberattacks they are faced with will only increase in the next 12 months, according to a survey by password manager Keeper.
Not only will the volume of ransomware attacks rise as more of the world moves online, so too will the ransom demands from hackers. Insurance company CNA Financial reportedly paid $40m (£29.9m) to hackers in March, while the world’s largest meat processor JBS paid $11m worth of bitcoin to regain control of its systems in June.
McAfee’s Fokker warns: “My experience says we are going to see more. It’s simply the fact that when people are forced to move towards a more hybrid situation, embrace newer technology and it is done at a faster pace than they are comfortable - that’s where weaknesses will appear.”
With the threat of more attacks on the horizon, compulsory training, such as that offered by Amazon and Moonpig, must go beyond a one-off exercise. Regular reminders, drop-in sessions, quizzes and quarterly training updates are among the initiatives companies can consider to keep cybersecurity measures front of mind for their employees to help fend off attacks.
With the business end of the year in full swing and Christmas just around the corner, such measures are crucial if retailers are to protect not just their revenues, but their reputations.
The global technology leaders influencing retail
Innovative thinking. New ideas. Investing ahead of the competition. These are all requirements if retailers want to stay agile in these changing times. So, who are the individuals leading the charge?
Retail Week’s annual Tech 100 index celebrates the people shaping the new digital retail ecosystem and who will continue to do so in the months and years ahead.
Read Tech 100 today to discover:
- Developments and trends setting the direction of travel for the industry
- Which women are leading the digital revolution including Marcia Kilgore of Beauty Pie, Jessica Anuna of Klasha and Jo Graham of Boohoo
- The start-ups that you may not have heard of – yet – but will want to familiarise yourself with
No comments yet