When Scarborough, Maine-based Hannaford Bros. suffered a network breach in 2008 that exposed the payment data of 4.2 million customers, industry players vowed to tighten their data security. For its part, Hannaford reportedly spent several million dollars to replace the PIN pads at all of its stores so that it could encrypt bank-card numbers at the point of entry. The retailer also installed real-time security-monitoring software. So far, at least, these changes have prevented further breaches at the company.
But five years later, cyberattacks seem to be more common than ever. In the first quarter of this year alone, Phoenix-based Sprouts Farmers Market said it had malware planted on point-of-sale (POS) equipment at 19 of its 151 stores.
Bashas' "located and removed a highly sophisticated piece of malware that has never been seen before in the industry," according to a company statement, though not before the malware accessed consumer payment data from some of the Chandler, Ariz.-based chain's more than 130 stores. And St. Louis-based Schnuck Markets acknowledged at the end of March it had been "the victim of a cyberattack" that stole payment-card data from some of its 100 stores.
The fact is, cybercrime is on the rise: According to an October 2012 study of 56 companies by Ponemon Institute, the businesses suffered an average of 1.8 successful cyberattacks a week in 2012, up 42 percent from the previous year. The cost of preventing more successful attacks, as well as of dealing with the results of successful hacks and subsequent loss of business, averaged $8.9 million per company, a 6 percent increase from 2011.
But lawsuits can increase the cost. Schnuck Markets said in a court filing the data breach at its company could cost the company $80 million in Illinois alone if a class action lawsuit involving as many as 500,000 consumers moves forward, the Chicago Tribune reported. A Schnuck spokeswoman said the lawsuit was without merit.
Some criminals are interested in the sort of personal data–such as email addresses for use in phishing scams–that can be reaped by hacking into loyalty-card programs. But bank card numbers and personal identification numbers (PINs) remain the most highly sought-after data. An increase in the use of credit and debit cards with point-of-sale devices, online and via mobile, provides more data and more points of entry for criminals to access.
One reason for the rise in successful attacks, says Tom Kellermann, vice president of cybersecurity at Trend Micro, a provider of cloud security services with U.S. headquarters in Cupertino, Calif., is that "organized crime has moved heavily into hacking. This is evidenced by the decline in street crime globally, as noted by Interpol."
At the same time, "retailers are suffering from the same kinds of problems that the entire economy is suffering from: miseducation, lack of good security training, poor software that is critical to conduct business, and reduced funding for IT departments," says Steven Aiello, a systems support manager with Ann Arbor, Mich.-based Online Tech, a provider of data centers and security.
Although cybercrime is a growing problem, retailers shouldn't assume it's insurmountable. By complying with basic security safeguards, retailers can stave off significant threats. "The best thing retailers can do is address low-hanging fruit," Aiello says. "You don't want to be the slowest gazelle in the pack."
While the attackers have become more organized and better financed, their chosen targets are becoming smaller, says Scott Champine, Online Tech's PCI-DSS specialist. "The small and medium-size retailers who once thought they could fly under the radar of criminal hackers must re-examine that perception. Because [as] the more recognizable brands have bolstered their IT security positions, criminals have turned their attention to smaller targets."
Even a 50-store chain can have labyrinthine back-end operations, providing plenty of vulnerabilities for cybercriminals to exploit. For instance, "loyalty programs may tie to retailers' back-office systems, such as the accounting suite, exposing both client and corporate information," says Charles Burckmyer, principal with Portland, Maine-based Sage Data Security.
In fact, obtaining a 360-degree view of the customer by tying together transactional, loyalty and social data can leave retailers more vulnerable to security breaches. "IT and security executives struggle with staying connected to key business strategies so they can stay in front of how these data topics are being used and [devise] new methods for implementing appropriate security controls to maintain control," says P.J. Ritters, a director in New York-based PricewaterhouseCooper's Retail and Consumer Advisory Practice.
Mergers and acquisitions within the industry also can inadvertently make a hacker's job easier. "Many grocery-related retailers have grown through acquisition and have been slow to integrate and consolidate legacy systems from disparate IT operations across their respective brands," Ritters says. The challenge is finding security solutions that will work across the enterprise, he says.
Verizon Enterprise Solutions
Simple Ways to Fight Back
In its 2013 Data Breach Investigations Report, Verizon estimated that 78 percent of all initial breaches had a "very low" or "low" difficulty rating: The cybercriminals required few, if any, special skills or resources to steal the data. That's actually good news for retailers, as it means many solutions cost little, if anything. Here are several ways to reduce vulnerability:
- Know what software is running and ensure it is protected. "Gain true cognizance of all authorized and unauthorized software" used on your systems, says Kellermann. Vet every program on every device.
- "Take every step available to avoid holding and touching payment-card information," Burckmyer says. These raw data are the most valuable information entrusted to you by customers, and therefore the most vulnerable to theft. "Separate your PCI [payment card industry] networks from all others–your back office, Internet traffic, etc."
- Limit use of point-of-sale terminals and servers to POS processes. Your POS devices shouldn't even have full access to the web, says Marc Spitler, senior risk analyst at Verizon Enterprise Solutions. "If there are point-of-sale devices connected directly to the entire Internet, when you combine that with weak or shared credentials, that's where hackers can get access and install malware that's grabbing information from the [customer's payment] card before it can even be encrypted."
- Limit access privileges. Simply put, employees should have access only to devices and systems they need to conduct their jobs. "And if you terminate an employee," Kellermann adds, "make sure that account is no longer active in the organization."
- Invest in data loss prevention (DLP) software as well as antivirus and antimalware software; keep them all up to date, and run them daily. But more than that, be sure to review the reports daily as well, says Kellermann. "You have to be able to continually monitor and tell when a nefarious incident has occurred or is about to."
- Appoint a head of cybersecurity who will have authority to make daily refinements, Kellermann advises. Daily vigilance–from reading software reports to manually checking POS devices for signs of tampering to keeping up-to-date with software patches–is critical in fighting cybercrime.
When compliance isn't enough
When Bashas' announced its cyberbreach, it made a point of declaring in its statement that it "is and has been compliant with all Payment Card Industry security requirements." But the fact that its customers' payment data were stolen proves that compliance with the PCI Data Security Standard (PCI DSS) alone isn't enough to foil cybercriminals.
Created in 2004 by four major credit-card companies, PCI DSS requires retailers accepting their cards to adhere to certain regulations. But many companies fail to maintain those practices over time. "Retailers do sometimes assume DSS is a final achievement, where in fact it is an ongoing process. Having, following and improving an information security policy is a requirement," Burckmyer says.
And PCI DSS doesn't address every type of cybercrime. "I believe the biggest oversight is looking at security as a 'to do' and not as a philosophy or culture," says Champine. "Most companies still view security as a task that must be accomplished once a year to satisfy PCI DSS. Security is 24/7/365."