Retailers brace for cyber attacks during peak shopping season
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
The Black Friday, Cyber Monday and Christmas peak shopping periods provide a welcome boost to retailers’ turnover, but the jump in transactions also offers more opportunities for cyber criminals.
Credit card fraudsters are relying on customers dropping their guard at a busy time of year rich with distractions, says Mark Deem, a cyber security legal expert and partner at law firm Cooley.
A cyber security threat is also present for businesses, which could miss out on a lucrative shopping period if their website is taken down by a hacker.
“Similarly . . . if a cyber attack in the supply chain stopped orders being placed and delivered to stores at critical times, it would have a significant impact,” adds Mr Deem, who has conducted internal investigations into major cyber attacks on a global retailer and a leading UK leisure company.
Gregory Garrett, a cyber security expert at BDO, the professional services group, says there are three main cyber threats to retailers’ ecommerce channels.
The first are distributed denial-of-service attacks that occur when hackers overload ecommerce channels and supply chains with fake orders, email queries and other digital traffic, “resulting in operational network system overloads”, says Mr Garrett.
The second are business email compromise attacks, with “cyber attackers posing as business partners or suppliers requesting payments for fake products or services”.
The third are ransomware attacks, where a hacker encrypts a retailer’s data and will only decrypt it on payment of a ransom.
“Most retailers are not making adequate cyber security investments to protect their digital assets, intellectual property, personal identifiable information, client information, suppliers’ information and payment card information,” says Mr Garrett.
Magecart is one of the most sophisticated cyber attackers, according to Raj Samani, chief scientist at cyber security company McAfee. He says that the criminal hacking gang is adept at skimming customer payment card information from online shopping cart systems.
“There are so many groups, that’s the frightening part, and they don’t have to be as sophisticated as Magecart,” says Mr Samani.
Mr Garrett says defence against such attacks includes testing email systems for malware; monitoring point-of-sale and other systems for intrusions; improving employees’ cyber security awareness, especially to phishing attacks; and using independent experts to assess the adequacy of suppliers’ security procedures.
Robert Hannigan, chairman of cyber security group BlueVoyant and a former director of GCHQ, the UK’s electronic intelligence agency, says there are “sophisticated and well-funded criminal groups” targeting companies’ ecommerce channels. “They are scanning at scale for weaknesses and automating attacks at scale against those weaknesses,” he says.
Even if a company has robust defences, their suppliers can present a weak link for hackers to exploit. “You have banks spending £200m-£300m on their cyber security every year, but they are connected to several thousand vendors of varying sizes and each one of those represents a risk to their networks,” says Mr Hannigan.
Because of poor cyber security, the breach rate — the number of times an attack breaks through a company’s defences — in the US retail sector more than doubled between 2017 and 2018, according to a data threat report published by Thales, the data security vendor.
The UK’s National Cyber Security Centre and the British Retail Consortium have produced a 44-page guidebook that urges retailers to install a “preventive cyber security culture” across the business and supply chain.
Other advice from the guidebook includes encrypting and backing up critical data and establishing cyber security as a board-level issue. Companies are advised to have a response plan in place in the event of a breach.
Failing to protect customer data can have a financial impact. Under the EU’s General Data Protection Regulation, which came into force last year, data protection authorities can levy penalties up to €20m or 4 per cent of annual global turnover, whichever is higher.
Pointing to the scale of the risk, McAfee’s Mr Samani says about 1bn accounts globally were compromised and disclosed in the early part of this year. “The data are packed up and sold to criminals who log in as authorised users. There is an entire online ecosystem for this data.”