Retail Technology
| Log in | Subscribe

Subscribe | Log in
Retail Technology

Latest international data breach research finds retail and hospitality sector companies top ranking for incidents

Latest international data breach research finds retail and hospitality sector companies top ranking for incidents


Retail has been ranked only second behind the accommodation and food services industry with the highest percentage of data breach incidents, according to the latest research.


The eighth annual Data Breach Investigations Report (DBIR) from security vendor Verizon analysed forensic evidence to uncover how sensitive data is stolen from organisations.


Working with the US Secret Service (USSS) and the Dutch National High Tech Crime Unit (NHTCU) for the first time this year, Verizon complied its global report from 855 incidents and 174 million compromised records. It also took into account the work of the Australian Federal Police (AFP), the Irish Reporting & Information Security Service (IRISSCERT), and the Police Central e-Crime Unit (PCeU) of the London Metropolitan Police.


Smaller retailers are attractive target


The retail findings were based on approximately 330 confirmed data breaches over the last two years. And both small to midsized hospitality and retail organisations (of between 11 to 100 outlets) were at particular risk by sharing the same basic commonality and driver for breaches – the point-of-sale (PoS) systems they rely on to conduct daily business activities.


Such businesses often lack the in-house resources or expertise to manage their own security, relying on third parties or an incorrectly configured out-of-the-box security product, either of which may fail to prevent a breach.


“Unfortunately, this often makes retailers prime targets for financially motivated criminal groups exploiting weak, guessable, or default credentials via third-party remote access services to PoS systems,” said the report.


“This type of attack is opportunistic in nature, highly scalable, can be conducted from a great distance, and presents a low risk for the criminal,” it added. But it also said the good news is that by following a few relatively simple security practices, retailers can put themselves in a much better position to avoid falling prey to these attacks.


PoS are popular attack vectors


The Verizon analysis also revealed pay-at-pump terminals were the cyber criminals’ most popular target, followed by the PoS server store controller and PoS terminal. Compromised desktops, database services and web or application servers rounded out the most popular retail target assets by percentage of breaches.


The report advised retailers to:

  • Change administrative passwords on all PoS systems. Hackers constantly scan the internet for easily guessable passwords.
  • Implement a firewall or access control list on remote access/administration services. If hackers can’t reach your system, they can’t easily steal from it.
  • Avoid using PoS systems to browse the web. Or anything else on the internet for that matter.
  • Make sure your PoS is running a PCI DSS compliant application. Ask your PoS vendor for additional information on this topic.
  • Make petrol pump terminals tamper-evident. And inspect them regularly for signs of foulplay.
  • Protect public-facing web assets. They’re great for attracting customers, but they’re also a magnet for criminal attention.


The vendor also said that if a third-party vendor manages the PoS systems, it recommends asking them to confirm that these things have been done. “If possible, work this into the contract,” it added.