Retail Sector Breaches: What Can We Learn?

There have been a number of retail data breaches in the last decade. As more retailers increase their IT expenditure and leverage information assets, many are also experiencing cyber as a strategic level risk which has the potential to cause operational disruption, financial losses and reputational damage. Looking back, there are certainly a number of retail cyber incident examples I can cite:

  • TJX Companies Inc. (2006-2007, at least 46 million records compromised)
  • T-Mobile (2009, millions of records sold by malicious insider)
  • Target Stores (2013, 110 million records compromised, infected payment card readers)
  • Home Depot (2014, 256 million payment cards compromised, infected point-of-sale systems)
  • Tesco.com (2014, more than 2000 leaked usernames and passwords forced retailer to suspend online shopping accounts)
  • Moonpig (2015, software flaw)

All of these data breaches have a common outcome: data loss which had unforeseen financial, reputational and organizational consequences.

Technology plays an integral role in today’s retail environment – everyone knows it’s a business enabler and that companies are going to get left behind if they don’t have a digital strategy. However, many retailers remain ill-informed about the cyber-criminals waiting around the corner, only too eager to gain access to sensitive information if issues are unknown or even knowingly left untreated.

Attack Vectors

Looking at the breaches that I cited previously, we can see that the human element is present in all its glory. Poor security practices, insufficient training and lack of understanding are responsible time and time again. All of these combined contribute to the poor handling and exposure of sensitive data, whether it be a customer’s payment details, a colleague’s home address or the business’s unreported financial results.

From an attacker’s point of view, these issues often go unnoticed by security teams and present a golden opportunity for quick access to retail applications and customer data. Targeting a retailer’s system has a much higher financial pay off vs. targeting individual customers.

Recent retail cyber-attacks demonstrate that installing information-stealing malware on point-of-sale (PoS) systems is on the rise. This attack route allows cyber-criminals to capture huge quantities of payment and consumer data without having to use any specialist hardware to harvest ‘mag swipe’ data. The hardware and the software required to execute the attack is already used by retailers, so a prospective hacker would only have to leverage this available technology to compromise the credit cards of thousands of users and/or help exfiltrate any stolen information.

Developers, developers, developers

Whilst testing retail software applications for our clients, my team and I often come across developers who think that security is something that they can leave to the very end of the product lifecycle. Their attitude towards security is that it’s another tickbox that needs to be checked. Very few consider the business impact of an insecure product, hacker motivations (for example, many target PoS technology as that’s where all the purchases are finalized) and the fact that hacking is no longer a game for the experts – it’s getting easier and more common. Furthermore, most retailers do not have dedicated in-house software development teams, and instead choose to outsource all the software solutions they require. Risk cannot be outsourced where reputation is concerned.

"Risk cannot be outsourced where reputation is concerned"

In the course of a test, we also often discover forgotten backdoors and hardcoded passwords in retailer’s software solutions. Non-documented features left behind by developers, such as menu options and functionality that serves no usability purpose, is another major issue. When penetration testers examine the source code of these applications, they will be able to reverse engineer (revealing the data) software and come across insecure user interfaces that promote poor password practices and poor handling of customer data. When we report the findings back to our clients, 99.99% of the time they are unaware of these non-documented features.

My advice? Train your employees to understand your threat profile and their role defending the company, train management to appreciate the high level risks associated with strategic technology and train your developers to code securely.

Whatever way you look at it – good security’s a question of good education.

What’s Hot on Infosecurity Magazine?