The number of data breaches involving retail store point-of-sale systems was down in 2013, but the number of data breaches involving web attacks—10% of the retail industry’s data breaches last year—is on the rise.
Despite the highly publicized data breaches involving retailers like Target Corp. and The Neiman Marcus Group, 2013 had fewer security incidents involving retail store point-of-sale systems than years past, Verizon Enterprise Solutions says in a new report. The “Verizon 2014 Data Breach Investigative Report” is based on data compiled from 50 government and independent organizations in several countries, including the U.S. Department of Homeland Security, U.S. Secret Service, McAfee (part of Intel Security), Deloitte and Touche LLP, and the U.S. Computer Emergency Readiness Team. Verizon Enterprise Solutions is a unit of Verizon Communications Inc.
Criminals accessing retail data through store payment networks accounted for just 14% of security incidents with confirmed data losses in 2013, compared with 31% of the total number of data breaches reported during 2011, 2012 and 2013, the report says.
That’s the good news.
But the bad news—and the more relevant news for e-retailers—is that successful attacks through web sites are on the rise. Such attacks accounted for 35% of security breaches with data loss in 2013, compared with 21% for all of 2011-2013. These attacks, which involve exploiting a weakness in web site code or using stolen credentials to impersonate a user, accounted for 10% of retail industry security incidents in 2013, Verizon says.
Overall, web attacks accounted for 35% of data breaches, point-of-sales incidents for 14%, cyber-espionage for 22%, card skimmers for 9%, malicious use of resources for 8%, other malware incidents for 4% and other types of attacks accounted for the remaining 8%.
Looking more deeply at the retail incidents, point-of-sale attacks accounted for 35% of data breaches, denial of service for 33%, web attacks for 10% card skimmers for 6%, resource misuse for 4% and other type of incidents made up the remaining 12%. The study counted the number of attacks rather that the amount of data compromised.
Most of those attacks on retail web sites were financially motivated. The report says most web attacks in 2013—95%—targeted payment card information. Verizon found those attacks all had something else in common, too: Most of the time customers reported the security breach before merchants or payment processors became aware of them.
That’s not the case in any other type of web security breach Verizon studied. In 74% of financially motivated web attacks, customers brought the incident to light, compared with next to zero for other types of security breaches. “Perhaps customers notice the fraudulent activity before anyone else, but something is definitely tipping them off before any internal mechanism,” the report says.
To combat payment data-related attacks, the report recommends doing away with single-password verification systems, enforcing lockout policies for accounts where users try and fail to login and continually probing for web site vulnerabilities and fixing them before attackers can find and exploit them.
Overall, the retail industry—including grocery stores, car dealerships and gas stations—accounted for less than 1% of the total reported security incidents last year, but 10.8% of the 1,367 reported security incidents with confirmed data losses, Verizon says.