More than 50% of the 48 largest retailers as indicated by the National Retail Federation may have failed to meet the Payment Card Industry’s Data Security Standards (PCI DSS).
That’s according to an analysis by SecurityScorecard, which found that major retailers, including Walmart, Amazon, H&M, Saks, BestBuy, Target and dozens more, are failing to keep up with critical processes needed to protect shoppers from being compromised. Issues discovered include malware infections, use of end-of-life products, weak network security and low security awareness among employees.
“In my previous role as a CISO with a large retailer, this time of year is always tough for security professionals,” said Sam Kassoumeh, co-founder and COO of SecurityScorecard. “With more consumers, more transactional data and more credit cards to steal, the holiday shopping season is an ideal time for a hacker to attack.”
He added, “Our analysis indicates that even the most secure retailers could be susceptible to a breach. Additionally, previously installed and dormant malware could be activated during this time of year to capitalize on a larger score. If a hacker decides to take action while organizations scramble to keep up with an uptick in sales activity, attacks are more likely to be successful.”
The report found that a full 100% of the biggest holiday retailers were found to have multiple issues with domain security, which increases the risk of hackers impersonating a retailer’s site and falsifying a checkout form to obtain a user’s credit card information. More than 90% of them have an SPF record missing, which increases the risk of an email spoofing attack reaching consumers, while 80% may not be using intrusion detection or prevention systems to monitor all traffic within the cardholder data environment.
Further, as of October 2016, 83% of the biggest holiday retailers had unpatched vulnerabilities in their networks, and 43% of them were infected with malware between April and June 2016.About 62% were using end-of-life products in the last month, which make them more susceptible to a number of attacks or exploits.
All bottom-performing holiday retailers have a D or lower in network security, suggesting that their network may have an unaccounted access point ready to be exploited.
In addition to system vulnerabilities, SecurityScorecard also found many of the companies examined also had employees who lacked training in basic security best practices.
“The biggest retailers’ last-place ranking in ‘hacker chatter’ and ‘social engineering’ complicates things further for their internal security,” said Kassoumeh. “Low social engineering scores are indicative that an organization’s employees are vulnerable to attacks that prey on a lack of knowledge.”
Photo © Tyler Olson