As we enter the busiest and most lucrative period of the year for retailers, it’s a good time to take a look at some of the key security issues and challenges facing the industry.
Retail has certainly been in the news a lot of late when it comes to information security, and not for good reasons. One of the most recent, high-profile security breaches hit The Home Depot, with the world's largest home improvement retailer in early September disclosing a months-long attack of its payment data system.
This month, the company shared details of its investigation, conducted in cooperation with law enforcement and the company's third-party IT security experts. The investigation to date has determined that cyber criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network.
The stolen credentials alone didn’t provide direct access to the company's point-of-sale devices. But the attackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to use unique, custom-built malware on its self-checkout systems in the U.S. and Canada.
In addition to payment card data, criminals took separate files containing about 53 million email addresses during the breach. These files did not contain passwords, payment card information or other sensitive personal information, the retailer says, and it is notifying affected customers in the U.S. and Canada.
The malware used in the attack hadn’t been seen in any prior attacks and was designed to evade detection by antivirus software, according to the company’s security partners. The hackers' method of entry has been closed off and the malware has been eliminated from the company's systems. The Home Depot says it’s continuing to work with its partners to further enhance its security measures, with efforts including enhanced encryption and Europay, MasterCard and Visa (EMV) Chip-and-PIN Technology.
This attack was just the latest in what has been a string of retail security incidents. During the past year, companies including Michaels’ and Neiman Marcus Group have reported attacks on their systems involving sophisticated malware or malicious software. And of course it was about a year ago that Target was hit with a breach that resulted in the theft of millions of customers’ credit card information, including payment information, names, phone numbers and email addresses.
The Target incident had a big financial impact, with the retailer announcing in August 2014 that its second quarter financial results were expected to include gross expenses of $148 million, partially offset by a $38 million insurance receivable, related to the security breach.
Clearly—and with no pun intended—these days the entire industry seems to be a target for cyber criminals. And at least some consumers likely were uneasy about using their payment cards on Black Friday or other shopping days in the weeks ahead.
Retail seems like a natural for financially motivated attacks, because the business involves the continual movement of money, either in brick and mortar stores or via ecommerce. With a large number of consumers using credit or debit cards to make purchases, there’s plenty of opportunity for cyber crooks to try to steal personal data that they could use to conduct fraudulent activity.
It goes without saying that retailers need to have a defense-in-depth security strategy, including the latest-generation firewalls, intrusion detection and prevention, identity management and access controls. But they also must use or support technology such as encryption and chip-and-pin to ensure that payment card data is protected throughout the purchasing cycle, including when data is in transit and stored on premises or in the cloud.
Retailers also need to make sure that they have up-to-date anti-malware and anti-virus software. It’s important to keep in mind that some of the recent attacks have involved the use of newly discovered malware. With the threat scenario constantly evolving, it’s vital that retailers keep on top of the latest information security threats and vulnerabilities.
The industry is taking steps to improve overall security. For example, in April 2014 the Retail Industry Leaders Association (RILA), in conjunction with well-known retail brands, created the Retail Cyber Intelligence Sharing Center (R-CISC). Through this endeavor, retailers are able to share cyber threat information among themselves and with public and private stakeholders such as government security entities.
As RILA notes on its Web site, “the industry is already going to great lengths to minimize risk and stay ahead of cyber criminals. But through collaboration, our ability to develop innovative solutions and anticipate threats will grow, enhancing our collective security and giving customers the service and peace of mind they deserve.”
By deploying strong security technologies and policies, in addition to taking part in this type of collaboration, retailers can let consumers know they are doing all they can to protect systems and data.