As we approach another season of shopping and consumerism, the retail industry should pay strict attention to the findings in the latest Verizon’s Data Breach Investigations Report (DBIR), an annual data breach information study conducted by the Verizon RISK Team (VERIS) with participation from the U.S. Secret Service and international national cyber security agencies in Australia, Holland, Ireland, and Britain. The study analyzed forensic evidence to examine how data breaches occurred in organizations, who caused the breaches, why they did it, how the victims responded, and how the breaches could have been prevented.
The 2012 DBIR focused on the retail industry which for the past two years has ranked only second behind hotel and food services as the business most plagued with data breaches. The main reason for the high rankings of these two trades is that they use point of sale (POS) systems to conduct daily business activities, making them prime targets for criminals that exploit POS systems with weak security. Point of sale generally refers to when money is transacted in exchange for goods or services. Retailers are especially easy targets for cyber criminals who can hijack credit card information from long distances and these kinds of attacks are low risk for the criminals who often disappear long before a data security breach is discovered. In addition, fraudsters prefer to target small to medium businesses such as franchise owners that lack the resources and/or expertise to manage their own cyber security.
VERIS defines threat agents as the cause of data breach incidents and categorizes them as either external (originating outside the victim organization), internal (originating inside the victim organization) and partner (any third parties who share a business relationship with the victim.) The report found that external threat agents were the most prolific with the majority of attacks originating fromEastern Europe, a hot bed of organized cyber crime. Internal threats made up a smaller percentage of incidents and often involved criminals coercing retail staff to help them by either using a remote skimming device or swapping legitimate PIN entry devices and POS terminals with identical, counterfeit replacements that are rigged to capture payment card data.
Even though these cyber thieves can be insidious, especially during a busy holiday season, retailers can protect themselves by following a few simple data breach protection practices:
- Change passwords consistently on all POS systems since hackers constantly scan the web for passwords that are easy to guess.
- Implement a firewall on remote access/administration services.
- Do not use POS systems to access the internet.
- Make sure your POS system is compliant with the Payment Card Industry Data Security Standard (PCI DSS) an information security standard for businesses that handles credit card information.