Months After Target Breach, Retailers Still Leaving Data at Risk

On July 21, 2014, Brian Krebs (once again) broke the news of a potentially major retail breach. Goodwill Industries and its 165 independent agencies across North America appear to be the most recent victims in the seemingly plagued retail industry.

The news is reminiscent of the events back in January of this year when details of Target’s data breach were emerging along with reports of breaches at other retailers. At the time BitSight raised the concern that the Target breach was likely a harbinger of more breach announcements to follow.

Since then, BitSight has continued to observe evidence of system compromise inside hundreds of retailers over the course of the year. Based on our data and analysis, we observed that there were many retailers with poor performance and that this downward trend has continued into the second half of 2014, as the chart below depicts.

While consumers wait for details to emerge around this latest incident, we thought it would be a good moment to reflect back on some of the major retail breaches we’ve seen this year.

January

• Neiman Marcus: An unknown number of customer credit and debit cards were compromised in an intrusion at the company’s card processor.
• T-Mobile USA: An undisclosed number of customers were affected when names, addresses, SSNs and driver’s license numbers were exposed on servers managed by a third party supplier.

February

• Home Depot: 20,000 employee names, DOBs and SSNs were stolen by three former employees and used to open fraudulent accounts.

March

• Spec’s Wine, Spirits & Finer Foods: 500,000 customers’ names, credit card numbers and card expiration dates from 34 stores were exposed over the course of a year and a half.
• Sally Beauty Holdings: 282,000 credit and debit cards were stolen through network intrusion and put up for sale on an underground crime store.

April

• Michael’s Stores: 2.6 million credit and debit card numbers were compromised in a data security attack.

May

• Ebay: 145 millions customers’ names, passwords, email addresses, and other contact details were exposed after hackers gained access to ebay’s corporate networks through the compromise of employee machines.
• Lowe’s: 35,000 current and former employee names, SSNs, DOBs, addresses and driver’s license numbers were stored in a file made accessible online by a third party vendor.

June

• Splash Car Wash: 30,000 customer credit cards were stolen by hackers at POS terminals.
• PF Chang’s: Thousands of credit cards and debit card numbers were stolen and posted for sale on an underground store.

July

• Goodwill Industries: Investigates potential data breach across its 165 agencies in North America.

This list is certainly sobering but by no means comprehensive. It only includes some of the highest profile reported incidents so far this year. There are likely many more breaches that have not and will not be reported.

The data here compels us to reiterate today what was expressed back in January: the evidence strongly suggests that organizations in the list above are not alone and does not bode well for the rest of the year.

So what can retailers and others do to strengthen their security posture? What this trend in retail highlights is the importance of industry and peer benchmarking. When organizations focus on measuring their performance, they gain insight into changes in their posture, and can better understand what actions are helping to improve their ratings. Benchmarking against well-performing industries and comparing security practices can help set strategy and herald the adoption of new standards.

For example, as we’ve shown in past analysis, financial services organizations sit at the top for a reason. They’ve adopted continuous monitoring, respond and recover quickly to emerging threats, conduct regular risk assessments and, most importantly, have made cyber security an executive and board-level issue. As retailers begin to adopt more of these measures and follow the best practices of top performing peers, we will likely see the number of breach incidents decline.