Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity Law & StrategyFeaturesCybersecurityPrivacyTechnology Media and Telecom

Retail Leads the Way in Data Breaches — Here's How to Protect Your Customers

By Paige Schaffer
September 01, 2018

If 2017 was considered the “year of the data breach” as the number of incidents hit a new record high of 1,579, 2018 might get even more serious. Just a little more than halfway through 2018, the number and scale of data breaches that have already been reported is staggering. To name a few, In March, Under Armour announced that a breach affected an estimated 150 million users of its food and nutrition application; In April, Facebook notified 87 million members of its platform that their data had been shared; and in June, EXACTIS leaked a personal info database with 340 million records.

Macy's Data Breach

In the latest breach to make headlines, mega department store Macy's fell victim, as revealed in an emailed letter sent by the company to its affected customers confirming that an unauthorized third party accessed online customer accounts between April 26 and June 12 this year. Macy's also sent a letter to the New Hampshire Attorney General's Office on July 2 to notify them that 753 New Hampshire residents were affected by the breach, which detailed that it was alerted to an influx in abnormal login activities on macys.com and bloomingdales.com (owned by Macy's, Inc.) by their security suite on June 11. The leaked info may include customers' names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates.

The Retail Industry Is the Most Compromised Sector for a Fifth Year in a Row

Macy's isn't the only retailer to make headlines this year because of leaked data — the list is long and includes: Orbitz, Under Armour, Best Buy, Delta Air, Kmart, Lord & Taylor, Panera Bread, Saks Fifth Avenue and Saks Off 5th, and Sears. In fact, Trustwave's Global Security Report found that the retail industry was the most compromised sector for a fifth year in a row, and the primary target is payment card data.

These attacks aren't random, and there are plenty of reasons that hackers go after retailers. Even the strongest retail players are at risk: with massive amounts of customer information being stored across multiple channels, combined with limited IT resources (and sometimes a hodgepodge of new and old systems and hardware — or just fully antiquated systems altogether), the task of successfully defending their networks from vulnerabilities is daunting to say the least. Other reasons that retailers are at risk include:

  • Retailers are continuously processing large volumes of payment data, which translates to easy payouts for hackers if they can get into the system. Payment data is most commonly stolen through point-of-sale (POS) breaches, which make up 64% of all incidents, and a magnetic stripe data attack was the second highest at 33%. Because hackers have found ways to access the card data before it gets encrypted into the POS system's memory, retailers that use POS machines need to provide end-to-end encryption for all credit card transactions in order to protect customer data.
  • The technology that makes “tap to pay” or “mobile wallets” possible (called Near Field Communication) is a huge convenience for customers, but also poses its own security risks, as businesses aren't able to control who is accessing their system. For example, if a customer's phone is hacked, and they use Apple Pay, or any other mobile wallet, a virus could be introduced into the retailer's network. As more and more people begin to utilize mobile payment, we will likely see this technique used more often by hackers.
  • In this day and age, retailers must utilize a multi-channel strategy to remain competitive. The downside to this is that it makes data security a bit more challenging in that customer information is spread out across multiple channels.
  • The retail industry is known for having high turnover rates, and perhaps because of this, there's often a lack of internal security education. Particularly during busy seasons (e., holidays), many stores rely on hiring temporary employees who may not go through as stringent of background checks. This means that some of these workers may be more likely to have a criminal background, which could put the business at a greater risk.
  • Hackers are also very well aware of when retailers' peak business periods will be, so it's easy to use blackmail as a threat during these times. Additionally, because companies worry about their systems breaking during peak traffic, they avoid changing the code for their websites and mobile apps. This leaves stores' systems — and all the data they hold — particularly vulnerable.
  • Generally, we often don't see cybersecurity as a central focus among retailers. The spotlight is often on revenues, with data security sometimes seen as an afterthought. And hackers know this.

Cybersecurity Professionals in the Retail Industry Need to Do More

The increasing normalcy of data breaches in the retail industry has highlighted the fact that retailers need to be doing more — particularly in terms of protecting customer data. This must start from the inside out. Data security and compliance must crosscut the entire organization. Leaving this significant task just to IT or another dedicated department fails to address the larger issue: all staff are stakeholders in a company's data protection, and therefore must be trained on security best practices and requirements on an ongoing basis.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Bankruptcy Sales: Finding a Diamond In the Rough Image

There is no efficient market for the sale of bankruptcy assets. Inefficient markets yield a transactional drag, potentially dampening the ability of debtors and trustees to maximize value for creditors. This article identifies ways in which investors may more easily discover bankruptcy asset sales.

Judge Rules Shaquille O'Neal Will Face Securities Lawsuit for Promotion, Sale of NFTs Image

A federal district court in Miami, FL, has ruled that former National Basketball Association star Shaquille O'Neal will have to face a lawsuit over his promotion of unregistered securities in the form of cryptocurrency tokens and that he was a "seller" of these unregistered securities.

Why So Many Great Lawyers Stink at Business Development and What Law Firms Are Doing About It Image

Why is it that those who are best skilled at advocating for others are ill-equipped at advocating for their own skills and what to do about it?

A Lawyer's System for Active Reading Image

Active reading comprises many daily tasks lawyers engage in, including highlighting, annotating, note taking, comparing and searching texts. It demands more than flipping or turning pages.

Blockchain Domains: New Developments for Brand Owners Image

Blockchain domain names offer decentralized alternatives to traditional DNS-based domain names, promising enhanced security, privacy and censorship resistance. However, these benefits come with significant challenges, particularly for brand owners seeking to protect their trademarks in these new digital spaces.