Securing the shopper
27th June, 2024 • Online
Retail, almost as much as banking, is ‘where the money is’. And the hackers know it.
"To open a shop is easy. To keep it open is an art.” runs one Chinese proverb. And that was before cyberattacks. Now, as the Swedish Co-Op has found (again!), keeping the store open is a whole other level of hard. They were just hit by the Cactus ransomware gang which prevented them taking card payments. Just before the New Year, US hardware retailer Ace was attacked and lost the ability to use the majority of its IT systems including invoicing. And third-party dependencies continue to be an issue: last year’s attack at IT supplier Swan Retail meant that 300 independent retailers lost their ability to trade online and fulfil orders.
These problems have not gone unnoticed by customers. A recent survey ahead of the last UK ‘Black Friday’ shopping frenzy showed that
• 76% of Black Friday shoppers said that the cyber security of online retailers is important to them
• 54% of Black Friday shoppers said that if they knew an online retailer had experienced a data leak they would be less likely to shop there
• 55% of Black Friday shoppers said that a strong cyber security policy published on an online retailer’s website would make them more inclined to shop there
• 38% of Black Friday shoppers said that they would be more likely to shop with an online retailer if they had successfully prevented and managed a cyber attack
And the NCSC echoed this in its report in November 2023, warning that the retail sector was a prime target for scammers and attackers of all kinds. Felicity Oswald, NCSC Chief Operating Officer, said “As we enter the Black Friday and festive shopping period, online shoppers will naturally be on the lookout for bargain buys. Regrettably, cyber criminals view this time of year as an opportunity to scam people out of their hard-earned cash, and the increased availability and capability of technology like large language models is making scams more convincing.”
So, why are retailers also among the most breached companies around? Just being an attractive target is not a guarantee of loss, all companies need better defences than they apparently have.
In the past, even large retailers were very publicly not in compliance with key standards, storing passwords in plain text and ignoring basic cyber hygiene. There are still problems of transparency and taking cybersecurity seriously at significant organisations and simple hacks are still causing chaos.