Retailers Saw 61 Million Customer Records Stolen in 2014

If 2014 seemed like the year of the data breach, the data bears out that instinct. According to IBM Security, during 2014 cyber attackers continued their assault on the retail sector, stealing more than 61 million records from retailers.

Overall, Big Blue’s latest retail report shows that there was a 43% increase in records reported compromised last year vs. 2013.

Further, cyber-thieves are causing far more damage while relying on fewer attacks to achieve their goal. During the two week period (24 Nov - 5 Dec) around the biggest shopping days of 2014, Black Friday and Cyber Monday, the data revealed that the retail and wholesale industry emerged as the top industry target for attackers in 2014, a potential result of the wave of recent high profile incidents impacting name-brand retailers.

Interestingly, overall data breach incidents are up, while holiday-specific attacks are down. From 2012 to 2014, the number of reported breaches during 24 Nov - 5 Dec dropped by more than 50%. And, the number of daily cyber-attacks was 3,043, nearly one third less than the 4,200 average over this period in 2013.

But, looking at the annual data, even after removing two huge data breaches from the data (Target and Home Depot), there remains a significant increase in the number of records reported compromised year over year since 2012.

More than 260 million retail records have been reported as leaked, lost, or stolen in the United States since 2005. This number would actually be much higher if data had been obtained for the 340 additional retail compromises documented since 2005 for which there is no total record loss listed.

IBM offers a nice recap of the most headline-grabbing data breaches outside of the recent Sony hack: Home Depot (2014, 56 million); Target Corporation (2013, 70 million); Sony, PlayStation Network (PSN), Sony Online Entertainment (SOE) 2011; 12 million); Steam (The Valve Corporation) (2011, 35 million); and TJX Companies Inc. (2007; 100 million).

It’s not likely that we’ll see a significant fall-off of fraud efforts even with the positive holiday season statistics. “Credit cards have been around for decades,” IBM said. “They allow us to purchase items without having to carry large sums of cash. A small piece of plastic that offers so much convenience. Criminals target that convenience in many ways.”

And, the findings show a marked evolution in how fraud is being carried out. Until recently, credit card fraud was mainly limited to a handful of methods, including physical theft of the card itself, individuals falsifying credit card applications, and intercept fraud, where a credit card is applied for legitimately, but is stolen from the mail. Or, a physical skimmer is often placed on a point of sale machine to capture credit card data. But 2013-2014 ushered in more advanced forms of digital fraud.

For instance, there are new theft strategies that have been developed to spoof a merchant’s web site. Often this is paired with a spam campaign, to lure victims to follow a link to what appears to be a legitimate company. When they order goods or services via the web site, all of their personal information and credit card numbers are sent to the fraudster.

And then there are all of the compromises around POS malware—responsible for Home Depot, Target and many others.

“POS systems are being compromised by several different types of malware,” IBM noted. “The malware specifically intercepts the credit cards' track 1 or track 2 data which is stored on the magnetic stripe. Criminals then re-encode the track data onto counterfeit cards.” 

What’s Hot on Infosecurity Magazine?