Lessons from some of the biggest retail hacks in history

If you don’t believe cyber-crime is a significant risk in retail, just look at the numbers associated with some of the biggest hacks in recent history. 

In 2005, TJX suffered a massive 18-month-long data breach that ended up impacting more than 45 million customers in the US, Canada and the UK, and costing the company hundreds of millions of dollars in settlements. 

A few years later, in 2013, the same thing happened at Target in the US, except the hackers made off with the personal data of roughly 70 million customers. Then, in 2018, 500 million Marriott customers had their personal information stolen by cyber criminals. 

These are just a few examples of the growing cyber security problems in retail. The sector consistently ranks as one of the most vulnerable when it comes to cyber-attacks and it’s not hard to understand why. 

“It is no secret that cyber criminals are targeting financial services information, and payments data in particular because that is where the money is,” said John Tait, global MD, payments market at TNS. “The data is easily usable or transferable; stolen payment card information can instantly be used to make purchases of goods that readily turn into value.”

In all three of the examples given above, hackers stole payment information, such as credit card numbers and expiry dates, as well as personal information, such as names and birth dates. And a big part of TJX’s pay out was for credit monitoring and identity theft insurance for customers whose information was stolen.

As Tait explained, hackers often sell card data on the dark web to be used in future purchase transactions, since the data remains valid until the company realises that a compromise has occurred.

What’s driving the rise in cyber-crime?

Payments have always been a part of retail, so why have so many more retailers been experiencing cyber-attacks in recent years? 

The two main factors are the rise of online shopping and the shift to non-cash payments, such as credit and debit cards and digital payments, including e-wallets and buy now pay later apps. Covid-19 has accelerated both of these trends. 

According to McKinsey, the global use of cash was expected to decline four to five times faster last year than it has over the last few years. That would mean around two thirds of global payment transactions were executed in cash last year, though in mature markets, such as Finland, the UK and Australia, less than a quarter of payments would have been made in cash.

Meanwhile, a recent report by Worldpay from FIS found that one in ten Australians now use a buy now pay later (BNPL) app, representing 8 per cent of all e-commerce transactions. BNPL’s market share is expected to double to 17 per cent this year. 

“The way consumers have shifted their payment preferences has driven a change in the risk profile of certain payment types,” said Tait. “The move to online transactions in particular may change the risk profile for electronic payment acceptance, as an online payment transaction has more reasons to be disputed and/or charged back.”

Retailers can’t afford to lag behind consumers when it comes to supporting the latest payment methods, so it’s crucial that organisations keep data protection and management at the forefront of their minds.

What does it take to protect payment data? 

“There is no single strategy or silver bullet that protects payments,” said Tait. Instead, a “defence in depth” approach is required. 

“This approach provides layers of protection across the value chain of payments that typically allows for protection. In essence, if one layer is compromised another layer steps in to prevent a potential attack,” he added. 

Retailers should use a combination of network security, staff and people-based behavioural controls, as well as data encryption and protection strategies and ongoing data analysis and monitoring. On top of this, they should have virus and malware protections.

When it comes to network security, retailers should look for solutions that are delivered with PCI DSS compliance, since they offer the highest level of protection possible. One example of this is TNS’ best-in-class TNS Secure SD-WAN which is a highly robust, secure and scalable private network. 

“TNS processed 34 billion payment transactions last year and our services comply with PCI DSS, the highest standard of data protection in the industry,” noted Tait. “We do that specifically to help our clients feel assured that their data is traversing an infrastructure that complies with the industry’s leading standard for data security.” 

Click here to find out more about TNS’ Secure SD-WAN solution, and how it can help protect your retail business from the threat of cyber-attacks.