Target and Toys R Us posted overall sales declines during the holidays.
Security experts praise Adidas’ decision to disable sites after last week’s hacking attack.
Online retailers can learn a lesson from last week’s hacking attack against Adidas Group, security experts say: It’s better to shut down e-commerce sites right away and shore up protections rather than deny the problem, keep the sites up and risk more damage.
Adidas says it came under a “sophisticated, criminal cyber-attack” late last week. The sports apparel manufacturer declined to give details about the attack, but said there was no evidence that the criminals stole consumer data such as payment card information. Adidas America Inc. is No. 205 in the Internet Retailer Top 500 Guide.
Adidas said that after detecting the attack it took down such e-commerce sites as Adidas.com, Reebok.com, miCoach.com and local online stores in other markets. That was the right move, security experts say.
“From everything I know so far, Adidas proactively and aggressively shut down the sites first, then figured out what was going on,” says Jeff Schmidt, founder and advisor of JAS Global Advisors LLC, which provides information security services to businesses. “It was a reasonable and prudent thing to do.”
Disabling the sites quickly can enable a retailer to gather evidence that could help law enforcement catch the criminals, says Neal Quinn, vice president of operations for online security services firm Prolexic Technologies Inc.
The Adidas attack also serves as a reminder that retailers need to prepare for attacks, especially in the midst of the lucrative holiday shopping season. “Everyone in e-commerce should have an incident response plan in place,” Quinn says. Schmidt adds that such a plan should detail how they plan to preserve evidence for law enforcement.
Adidas has not addressed the cause of the attack, and neither Quinn nor Schmidt would speculate about what type of attack it was. But Quinn, whose company focuses on distributed denial of service attacks, says the problem did not appear to be a DDoS attack. In a distributed denial of service attack criminals take control of many consumers’ computers and flood web sites with traffic, making them inaccessible to legitimate users.