Skip to main content

Report: 73% of Retail Security Incidents Compromise Payment Data

Verizon’s 2018 Data Breach Investigations Report (DBIR) found that among 53,000 total security incidents and 2,216 confirmed data breaches, instances of ransomware are on the rise—more than double what the telecommunications company uncovered in its 2017 report. A form of malware, ransomware is becoming a significant problem area for enterprises.

“This 11th edition of the DBIR gives in-depth information and analysis on what’s really going on in cybercrime, helping organizations to make intelligent decisions on how best to protect themselves,” George Fischer, president of Verizon Enterprise Solutions, said.

Though payment data breaches rightly grab the biggest headlines, ransomware poses a significant threat as it works by holding a company’s assets and information “hostage” until the business is forced to pay. Ransomware is the most common form of malware, according to the report, constituting 39 percent of such attacks. What’s more, these incidents are becoming more severe, as attackers focus on encrypting more “business critical systems” such as databases and servers and demand harsher ransom payments, Verizon found. In the retail sector, ransomware attacks (16 out of 63) are the second-most-common form of malware, behind those that capture app data (23 out of 63).

Denial of service attacks, payment card skimmers and web application attacks account for three quarters of all security incidents within retail, Verizon found. However, most (87 percent) skimming incidents involve gas-station pumps and Verizon believes that PIN-pad tampering episodes are shrinking because the effort required is “not worth the potential monetary gain.”

Related Stories

Meanwhile, attacks on web applications, which generally target the retailer’s servers and are among the 73 percent of attacks compromising payment data, outpaced all retail assets—such as gas pumps, ATMs, laptops, payment terminals, and the like.

According to Verizon, weaknesses in input validation and pilfered credentials are among the most common hacking techniques in this form of attack. Once they’ve penetrated the device, hackers typically modify the code to capture payment data as it’s being read into the app—or they exfiltrate the sensitive data.

“Essentially the criminals are turning a PCI-compliant application that does not store payment card data into a very non-PCI-compliant and criminal-controlled data harvester,” the report noted.

As threats and attacks proliferate, companies must take appropriate steps to mitigate their risk and maintain consumer trust. “Businesses find it difficult to keep abreast of the threat landscape, and continue to put themselves at risk by not adopting dynamic and proactive security strategies,” Fischer added.

Sixty-seven companies from 65 countries contributed data to the report.

Saks, Lord & Taylor and Under Armour all have suffered high-profile security breaches in recent weeks. However, the impending arrival of GDPR in the European Union—and the stiff penalties accompanying it—could compel business to pay much stricter attention to how they store and protect consumer data.