The retail sector is no stranger to cyber attacks. During the pandemic, many people were forced or chose to stay inside and shop online, and for many that became a lasting preference. The result has been an unprecedented number of online interactions and a boom in ecommerce. Hackers have not failed to seize the opportunity for attack, and this increase in online retail was matched by an increase in malicious activity.
ForgeRock’s 2022 Consumer Identity Data Breach Report analysed a wide range of data to understand how these attacks have evolved over the last year, and why the retail sector is most at risk.
So, what did we find? And, more importantly, what can you do to shore up your cybersecurity defences and avoid becoming just another retail data breach statistic?
Security risks are increasing everywhere
In 2021, the overall number of data breaches increased across the globe. Those involving usernames and passwords accounted for more than 2 billion breached records, an increase of 35% in 2021. In many cases, these stolen credentials were used to compromise more data once a breach had occurred, leading to a vicious cycle of even more account takeovers (ATOs). ForgeRock’s data supports this finding, with unauthorised access accounting for 50% of all records breached, making it the leading cause of breaches for the fourth year running.
In the UK, retail was one of the worst hit sectors. According to the UK Information Commissioner’s Office (ICO), retail accounted for 20% of all cyberattacks during 2021, compared to 12% in finance, 11% in education and 9.3% in healthcare. The percentage of retail sales taking place online nearly doubled to 37% in January 2021, according to the Office for National Statistics (ONS), and businesses were forced to shift alongside consumers. The number of UK companies using bank accounts rose to 83% in 2021, while the percentage accepting online payments increased to 30%. With this in mind, it’s no wonder that the retail sector was particularly vulnerable, given that malicious actors had more attack vectors than ever before. As breaches continue to rise, it’s clear that traditional security methods must evolve to keep up with the ongoing onslaught of cyber attacks.
The customer (data) always comes first
Hackers are always on the lookout for new avenues of attack. The biggest targets for breaches in 2021 were financial information, such as credit card and payment information, and other forms of personal identifiable information (PII). As online retailers strive to create ever more streamlined user experiences, it is important to avoid casting security features like multiple factor authentication (MFA) aside. This mistake could leave the reams of personal data collected by retail sites vulnerable, creating the perfect conditions for breaches and fraud.
Phishing was one of the main methods used to compromise customer data, accounting for 38% of all threat incidences between January and September 2021. According to Ofcom, almost 45 million people received a scam text or call during the same period, with 82% of adults receiving a suspicious message via text. With so many customers vulnerable to having their login information stolen through phishing attacks, retailers must be on high guard. They should embrace MFA and AI to monitor suspicious login attempts to stop hackers using stolen credentials to drive further fraud.
Ashes to ashes, trust to dust
For retailers, the consequences of a data breach are larger than ever before. The average cost of a retail breach rose by 63% in 2021 and many retailers have deployed resources to make precautionary assessments of how much a breach would cost them. Tesco, for example, conducted a cyberattack “stress test” and found that a breach could cost the company up to £2.4bn in fines. Not only do data breaches have crippling financial consequences, they also erode customer trust and brand reputation, and can lead to as many as 85% of consumers deciding to stop engaging with a business altogether.
With the stakes so high, it’s no wonder that cybersecurity has climbed to the top of the boardroom agenda. The UK Government Cyber Security Breaches Survey found that more businesses are treating cybersecurity as a priority issue within senior management discussions. Moreover, Gartner estimated that worldwide spending on information security services would rise to £124bn, with 61% of CIOs increasing investment in cyber security in 2021. Evidently, retailers are sitting up and taking notice when it comes to cybersecurity.
Beyond the bottom line
If retailers want to avoid customer data breaches, they need to do more than just loosen the purse strings. Ultimately, many aspects of traditional security solutions are no longer adequate. Passwordless protection is becoming increasingly outdated and, with ATOs based on stolen data on the rise, passwords may even do more harm than good. Businesses must deploy extra measures proportionately too so they don’t risk introducing an element of friction that negatively impacts user experience and slows business, as customers already abandon 70% of online shopping carts before completing their purchase.
Businesses should therefore adopt a risk-based approach to ensure they strike the right balance between customer experience and security. To stay ahead of the game, businesses should build a security strategy around digital identity backed up with a Zero Trust strategy, and leverage the latest cybersecurity capabilities. For example, tools like AI can act as force multipliers that bolster existing defences and empower IT admins to make intelligent decisions more quickly, and with a higher degree of confidence.
Data breaches across the retail sector are becoming more frequent, costly, and damaging. And, with hackers coming up with more sophisticated methods of attack against digital defences, this trend shows no sign of slowing.
The world has moved far beyond the point where a simple password provides sufficient protection. If businesses want to stem the rising tide of cyber attacks, they should keep their finger firmly on the pulse: anticipating potential weak spots and adopting the latest cybersecurity technologies to scale their defences in line with emerging threats.
Alex Laurie is SVP global sales engineering at ForgeRock