A recent study by IBM showed that although the number of attacks on retailers was down by 50 per cent in 2014, criminals still stole more than 61 million customer records.
Examples include serious credit card data breaches at US retailers Target and Neiman Marcus. Target disclosed, towards the end of 2014, the theft of at least 40 million payment card numbers, although recent reports suggest the attack may be even worse than first thought.
Attacks lead to damage to reputation and brand, business losses arising from the loss of commercially sensitive information, reactive costs incurred responding to a data leak as well as legal consequences such as monetary fines.
In response, the Retail Industry Leaders Association (RILA) prioritised cyber security and data privacy, and pointed to retail’s reliance on third parties in the payments infrastructure. Speaking in 2014, RILA’s senior vice president of government affairs, Bill Hughes, said: “Retailers have long argued card technology is antiquated and criminals can use stolen consumer data to create counterfeit cards with ease.”
According to IBM, while most attacks against retail are Command Injection or SQL injection, point of sale (PoS) malware attacks are increasing. Thieves are using techniques such as RAM scraper malware, a memory parsing software which captures encrypted data as it travels through the live memory of a computer (where it appears in plain text), such as a checkout. Other risks include identity theft, denial of service attacks, and the theft of data, intellectual property and trade secrets.
Such a range of risks requires a robust security strategy, based on an assessment of threats, vulnerabilities and business impacts and an effective information security management regime which includes appropriate risk mitigation. Threats exist not just in the retail organisation but within its supply chain and the wider third party infrastructure. While using contracts to ensure adherence by supply chain providers to recognised standards such as ISO17799 and ISO27001, COBIT 5 for information security and the SANS Top 20 Critical Security Controls can be good practice, it is not a silver bullet. Information security is a key due diligence topic to be examined prior to entering into the contract.
For example, assurance can be taken from contracting with an entity that complies with the US NIST Cybersecurity Framework or the UK Cyber Essentials scheme. Contracts should cover data protection and security, audit and assurance, security operating procedures and testing. Threats arising from non-compliance with laws and regulations remain a big concern. In the US, most states require companies to contact customers when certain personal information is compromised. This task often falls on the credit card issuer although merchants are required to report breaches of personal information including social security numbers.
In the EU, privacy law is to be shaken up with a new General Data Protection Regulation this year or next. This will toughen existing laws (with the threat of significant fines for breaches) including enshrining privacy by design into law, requiring data controllers to notify their regulator of any data breaches, and reflecting aspects of the so-called ‘right to be forgotten’.