In this article, we focus on cyber security, particularly why data breaches spike during this time, scams to watch out for and how the sector can best prepare itself for a data breach. This is essential at any time but even more important during the festive season when more employees may be out of the office and have limited access to key resources.

While retailers are busy decorating their stores, or focusing on driving revenue, cyber attackers (or the grinch of the digital world) are likely looking to exploit vulnerabilities in your online platforms.

This time of year is a critical period for the retail industry, with anticipated spend of more than $60 billion dollars over ‘cyber weekend’, pre- and post-Christmas sales and the Boxing Day sales. Cyber security incidents can significantly disrupt business operations, damage consumer trust and undermine retailers’ bottom line.

Retailers should ensure that they have reviewed their cybersecurity defences and incident response plans to ensure their systems and customer data are properly protected from any cyber-attacks.

Why data breaches spike during the holidays

Thousands of transactions from legitimate customers occur every day. These transactions reach their peak over the festive season, putting a strain on retail businesses. The result is that it can make it more difficult to identify illegitimate transactions and payment requests, or whether a cyber security incident may be occurring.

Last financial year, the Australian Cyber Security Centre (ACSC) received over 11,000 reports of online shopping cybercrime, making up about 17% of all reported incidents during this period.

Between December 2021 to January 2022, a number of high-profile companies and organisations were subject to data breaches, including: Gravatar, SA Government, Finite Recruitment, Victoria Police, Huawei, Ubisoft, LastPass, Bunnings, FlexBooker and Red Cross Australia.[1] While there are still opportunistic attacks throughout the year, hackers typically target businesses at times when they anticipate resources to be spread thin (or when defences can be caught off guard).

Scams to look out for

Threat actors and scammers are often sophisticated criminals. They regularly deploy creative methods to defraud innocent employees, customers, and clients.

A few festive scams to look out for include:

  • a Merry Christmas email from what appears to be similar to a customer or supplier’s email;
  • a retail offer that looks ‘too good to be true’;
  • a website that looks exactly like yours, or one of your suppliers;
  • an unusual request to approve multi-factor authentication;
  • telephone calls or emails asking for any username, password or code needed to login to an account;
  • a fraudulent gift card;
  • social media ads offering certain sales at largely discounted prices;
  • fake Australia Post delivery emails; and
  • scam invoices where criminals mirror your website or email signature and request payment to be made to their account for a seemingly legitimate transaction.

Just one click of a button by an employee may jeopardise the whole company. A click (or download) can execute malware software that may infect your company’s systems.

In the event of a ransomware attack, this could lead to your customer’s data being exfiltrated and your systems encrypted (with the threat actor demanding a sum of money to be paid in exchange for the decryption keys or to not publish data). This can be devastating for suppliers and retailers – especially if the attack occurs during a peak period.

Be prepared for a data breach

It is important that you make sure you have an effective response plan in place to deal with any data breach. It is best practice to hope for the best, but to prepare for the worst. We provided some tips on cyber incident response plans (IRP) in our recent article, Brace for impact – the importance of a tested cyber incident response plan.

This is even more essential during the festive period, when an increased number of employees are away from the office with limited access to key resources. A strong IRP will be user-friendly and clearly outline:

  • who to contact in the event of an attack;
  • clear responsibilities for individuals; and
  • a process for communicating important messages to customers.

Being prepared is the ultimate way to minimise the risk and consequence of a breach.

Back-up your important data

If your company is hit by a ransomware attack, it is possible that some of your valuation information will be encrypted.

Regularly backing up your critical data reduces the risk of downtime and allows your business to quickly recover after a cyber incident. Keep in mind that the cyber criminals understand this and often delete back-ups as part of their attack.

Make sure that you are regularly keeping up-to-date back-ups disconnected from your network. Don’t forget to test that these back-ups are working.

New year, same secure data

Take the beginning of a new year as an opportunity to refresh your data security practices. Revisit your information security protocols, conduct an information security audit of your business and ensure data is as protected as possible. Companies bound by the Privacy Act 1988 (Cth) have a legal obligation to delete or de-identify data when it is no longer needed for the reason it was collected and they do not have a legal obligation to retain it. With recent proposed amendments to the Privacy Act (see our recent article, Big penalties for Australian privacy breaches), which will significantly increase the maximum penalties that can be imposed for breaches, there has never been a more important time to assess your company’s approach to data.