While this is good news for these industries, with more money comes more problems: Data breaches. Companies are now collecting, storing, and using customers' personal and financial data to facilitate an improved user experience, which in turn has created an expanding attack surface. If attackers can compromise business networks, they can hold data for ransom, steal and sell it on the Dark Web, or destroy data to simply cause havoc.
To help retail and hospitality organizations navigate this new risk landscape, we're exploring the impact of six notable data breach examples, how attackers commonly make their first move, and what steps companies can take to keep their data safe.
Six Examples of Retail/Hospitality Data Breaches
The Target breach of 2013 signaled the start of a new attack era. Attackers managed to gain network access, steal the personal and financial data of more than 100 million customers and then move this data to a server in Eastern Europe.
And it all began with an HVAC company that didn't follow data security best practices. Target gave this company access to non-critical network systems, but when attackers breached the HVAC company using stolen credentials, they were able to move laterally into more critical systems. Multiple automated warnings were ignored, resulting in the exfiltration of information, the loss of customer trust, and settlements of more than $300 million.
Saks Fifth Avenue
In 2018, Saks Firth Avenue and Lord and Taylor stores suffered an attack by the JokerStash syndicate. The result? More than 125,000 credit card numbers were posted online by the hacker group, which claimed they stole 5 million in total. With Saks using the secure EMV — chip and signature — standard, experts have speculated that the data breach was made possible because the company didn't encrypt credit card data from the point of sale (POS) to the credit card processor, enabling an attack.
CVS Health suffered a self-inflicted data breach in 2021 when a database containing 1.1 billion customer records was posted online without password or authentication protection. As a result, data, including email addresses, user IDs, and customer search records, were completely exposed. Thankfully, a security researcher found the database before hackers discovered it and quickly altered CVS.
The Home Depot breach was the largest retail data breach involving a point of sale (POS) system ever to be reported. Cyber criminals breached the company's security by stealing credentials from a third-party vendor. Once inside the Home Depot's network, the hackers moved laterally and installed malware, eventually gaining access to the company's POS system. This breach resulted in the theft of 50 million credit card numbers and around 53 million email addresses. The financial impact of the breach was staggering, with costs exceeding $200 million.
In February 2021, clothing retailer Guess was the victim of a ransomware attack. The attack was reported in May 2021. The company disclosed data including Social Security numbers, driver's license numbers, passport numbers, financial account numbers, and credit/debit card numbers — along with security codes and PINs — were part of the breach. While Guess didn't identify the attackers, the likely culprits were the DarkSide group of Colonial Pipeline infamy, which listed Guess on their ransomware data leaks site.
Hotel chain Marriott reported a data breach in June 2022, exposing 20 gigabytes of sensitive information, including guests' credit card information and confidential information about employees. Attackers used social engineering to trick a single employee at a Maryland hotel property and gain network access. Once inside, the hackers demanded a ransom for the stolen data, which Marriott says it did not pay.
How Breaches Happen: Four Popular Attack Patterns
While attackers tailor their efforts to the situation, there is a common thread in data threats: Efficacy. With the rise of malware markets that make it possible for low-skilled attackers to purchase and deploy threat payloads, hackers are looking for the simplest, easiest route to compromise that gets them what they want.
Four popular attack patterns include phishing, social engineering, ransomware, and third-party compromise. Let's explore each in more detail.
Phishing attacks use email to drive action. Staff may be encouraged to click links or download attachments that appear to come from a legitimate source. Doing so, however, deploys a malware payload onto the network, allowing attackers to infiltrate critical systems.
Using publicly-available data, such as information posted on company websites or employees' social media profiles, attackers can create tailored campaigns that convince users to share account details or grant network access.
Ransomware payloads encrypt company data and demand payment for its release. Attackers may threaten to sell or destroy data if their demands aren't met. However, even if companies pay the ransom, there is no guarantee that their data will be restored.
If attackers can compromise third-party vendors, they may be able to infiltrate business networks without being noticed. In the case of Target, this was an HVAC company. The Home Depot breach was through a successful social engineering attack of a third-party vendor. Other potential avenues of compromise include point-of-sale (POS) systems, ERP tools, industry-specific services such as property management systems (PMS) for hotels, or accounting tools for retail.
Potential Signs of a Breach in Progress
The earlier companies can spot attacks in progress, the better the chances of minimizing the impact and gathering valuable data that will help improve security operations.
Consider phishing attacks. Suppose malicious actors successfully convince users to click through on spoofed links or download malicious attachments. In that case, companies will often see sudden upticks in traffic volumes as attackers attempt to exfiltrate data. Other signs include user requests for data they don't require for day-to-day operations. To reduce the risk of phishing, prioritize employee education. By teaching staff how to spot the hallmarks of phishing emails and implementing tools capable of automatically detecting potential hooks before they reach employee inboxes, it's possible to blunt the impact of phishing efforts.
Social engineering relies on human nature. If attackers can convince staff that they're simply looking for help or make employees believe that requests are coming from a trusted source, they can circumvent standard defensive measures. To help limit the impact of social engineering, companies should first identify their critical assets. What are criminals after, and why? By laying on additional protection for these assets, businesses are better prepared to detect attacks in progress. Multifactor authentication (MFA) can also limit social impact — even if attackers compromise user credentials, they can't subvert additional MFA.
Ransomware makes its presence known with warnings that data has been locked down and will be destroyed if companies don't pay. The simplest way to frustrate ransomware efforts is to use strong encryption paired with reliable data backups. This leaves attackers with data they can't use and removes the threat of restricted access since companies can simply restore critical data from cloud-based or offsite backups.
Third-party problems can be harder to spot because the initial compromise point is outside retail and hospitality networks. Common indicators include an uptick in requests from peripheral applications or services or lateral data movement across networks.
Data Breach Prevention
Of the attack vectors listed above, third-party risk is the most worrisome. Why? Because it can encompass any or all of the other attack types. Consider the Target and Home Depot breaches, which saw the use of social engineering to compromise a third-party vendor. Data from CyberGRX Exchange shows 83% of third parties report conducting social engineering training, but 42% aren’t testing whether the training is effective or the level of staff vulnerabilities.
When a third party has gaps in its security awareness program, it’s a risk for you. From our examples, attackers leveraged the trusting nature of the third party to gain network access and compromise the financial data of their real intended targets– the larger retail enterprises with millions of customer records. Given that the average organization now works with more than 6,000 third parties — and that 20% of these third parties are high-risk — it's critical for companies to prioritize the third-party attack vector.
In practice, third-party compromise is an ongoing challenge. The best risk management models take a shared responsibility approach. Here, good cyber hygiene helps. This includes best practices such as regular, mandated password changes, automatic security updates for software and devices, and regular reviews of staff security knowledge to ensure they are aware of emerging risks.
Data breach prevention and effective third-party protection also depend on proactive risk evaluation. The more information companies have about the security postures of their third parties, likely attack vectors, and potential targets, the better prepared they are to frustrate hacker efforts. With Portfolio Risk Findings, retail and hospitality companies can map threat risk to industry frameworks — such as PCI DSS, HIPAA, or to a threat profile — to better pinpoint specific vendor risks and identify network vulnerabilities.
Here’s how Portfolio Risk Findings can help you isolate emerging threat signals:
Retail and hospitality revenues are on the rise, and this steady success makes them tempting targets for cyberattacks. By understanding popular attack patterns, recognizing common characteristics, and implementing controls to reduce internal and third-party risk; however, companies can take control of IT environments to better protect critical data.
Get Cyber Risk Intel delivered to your inbox each week: