Data is the new currency—this has been one of the most popular corporate maxims in the last few years. It’s true data has allowed businesses to offer personalized services, but it has also exposed a fatal flaw. When you consider something as valuable as currency, you must protect it aggressively. This hasn’t been the case for customer data, as 110 million accounts were leaked globally in 2023 Q2 alone. When companies fail to protect customer data, they not only lose money but damage the trust and reputation in the long run.
Even though cybersecurity is an ever-evolving space, most attacks can be thwarted by exhibiting more vigilance and urgency. In this article, we’ll go over why retailers are frequent victims of cybercrime, common ways data gets leaked and the steps retailers should take to protect customer data.
- Why cybercriminals target retail stores
- 5 common ways customer data is stolen
- How to protect customer data
Why do cybercriminals target retail stores?
Cybercrime is not an industry-specific issue. Almost all industries are working on ways to protect their business and customer data, from tech, transportation and supply chains to healthcare and telecom. Yet, the situation is notably worse for the retail industry. Here are four reasons why retailers need to put extra effort into shielding critical data:
1. Traditionally weak security
While industries like tech and healthcare are quickly adopting new security standards, retail has traditionally lagged behind in security and data privacy. Attackers target companies with poor security measures, and these “quick wins” often balloon into mega jackpots. This year, JD Sports, a UK-based sports gear chain, was the victim of an attack that exposed data of 10 million customers from 2018 to 2020. It’s one of the prime examples of being complacent about the data retail chains collect and store and frequent human interventions in security that lead to these attacks.
2. Bigger data footprints
The retail industry’s general indifference to security becomes more fatal when we consider the number of data points these stores cover. From order and payment details to shopping history, location and ad interactions, retailers use different metrics to personalize the shopping experience. The bigger the data footprint, the higher the chances of someone slipping up and allowing loopholes to exist. Healthcare is the only other industry that deals with more sensitive data than retail, but it’s governed by strict HIPAA laws that give patients more control over their data.
3. Unorganized IoT and shadow IT
Globally, Walmart and Amazon have over 3.5 million people working for them. Retail being a workforce-dependent industry, requires extensive management in every location. From CCTV and biometric scanners to various video surveillance tools, hackers have a bigger attack surface than other industries. On top of the chaotic IoTs, managers and workers often use unauthorized software to simplify their day-to-day tasks. These tools work outside the purview of IT teams (hence, shadow IT) and may exhibit vulnerabilities that can compromise data integrity.
4. Seasonal rush
Retailers prioritize speed and efficiency over everything else. While the constant improvements in supply chain and logistics over the years have helped consumers, utmost focus on speed often undermines the need for security. It’s particularly visible during seasonal sales when phishing emails become more effective and cashiers fail to store data securely, leading to credit and debit card fraud.
5 common ways customer data is stolen
Before you understand how you can protect customer data, you need to be aware of various ways the data can be stolen. Here are the most common ways businesses expose customer data:
1. Phishing attacks
Phishing attacks have stood the test of time because it’s easy to make people do what you want once you have their trust. Hackers know it, and they make full use of it.
Phishing emails and SMS are used to impersonate a trusted source and encourage victims to share confidential data. It’s the few seconds of wrong decision-making that makes phishing so effective.
Hackers often pretend to be from the IT team or use spear phishing techniques to mimic someone important within the company to encourage employees to share login data. They even try MFA bombing to wear employees down and gain one-time codes. Once they’re in, hackers can use the information to look for further vulnerabilities.
2. Malware and ransomware attacks
Phishing attacks are often used to push malware as well. It’s particularly effective via phishing emails as these emails either host malicious attachments containing trojan viruses or lead victims to web pages that are altered to still login data. Once the malware is downloaded, it sits silently and continues to monitor device activities. Malware often gets triggered when devices access banking apps or certain websites and as it collects more data, hackers build plans to extract more information.
Malware comes in many forms, but it’s the ransomware that causes the most damage. Hackers use malicious software to steal and encrypt data and ask for huge ransoms in order to return it. Ransomware is popular because data is the new currency. Retailers cannot risk losing customer data so they comply with hackers, which enables them further.
3. Social engineering attacks
The primary reason why cybercrimes are hard to stop today is because of how sophisticated they’ve become. Social engineering attacks are the prime example of criminals using more refined and well-executed strategies to target retailers.
Social engineering attacks depend on collecting snippets of information posted online and then creating a detailed profile ready to be exploited. If your employees are lax about posting personal data online, hackers can track those updates over several weeks and months and try to guesstimate logins, access codes and even credit card details. All of these could be traced back to your company if the hackers target the right person.
4. Identity theft
Identity theft is the process of mimicking a person’s identity by using their personally identifiable information (PII) such as names, addresses, SSNs, health records and credit reports.
Identity theft can impact your business in two ways:
- If a customer becomes a victim of identity theft, you may lose a lot of money in bulk orders and chargebacks
- If an employee becomes a victim of identity theft, it can lead to data theft and other employees becoming victims of phishing attacks
5. AI-enabled attacks
With the proliferation of generative AI, the line between what’s real and fake has been blurred. For non-tech-savvy employees, this could become a problem. With AI, it’s now easier to craft flawless phishing texts, automate attack scans, use behavioral tools to predict backdoors and mimic voices to commit CEO fraud.
This type of attack will only evolve with time, so it’s better to stay ahead and make security a topmost priority.
Steps retailers must take to protect customer data
When it comes to customer data security, retailers have their tasks cut out. It’s not possible to stay 100% safe from threat actors, but you can follow these steps to improve security standards:
1. Minimize data liability
When the General Data Protection Regulation (GDPR) was introduced in the EU, one of the fundamental steps was to limit how much customer data services can collect and store. This not only helped consumers but also protected companies by limiting their data liability. When you only store data that’s necessary to offer a service, you limit the attack surface and can pass the accountability check.
Hoarding old customer data well beyond a reasonable timeline was the key reason why JD Sports became a victim of a cyberattack early this year. By enforcing a minimum data collection policy and periodically deleting obsolete data, you can protect customers.
2. Use access management tools
Data shouldn’t be freely available to everyone in the company, especially if it’s customer data. Retailers need to enforce a strong access control policy that prevents data leaks and system vulnerabilities from being exploited by threat actors. Most businesses use discretionary access control (DAC) that puts all the responsibilities and privileges on an individual. Typically these are the high-level managers, IT officers, or even the business owners. Instead, you need to focus on mandatory access control (MAC), which allows a sysadmin to grant access to specific profiles and role-based access control (RBAC), which focuses on the profile of the individual to determine what type of data must be shared with them.
Access control is built on the philosophy of data minimization as it encourages employees to reduce attack surfaces and businesses to track points of vulnerability.
3. Encrypt files and network
A large number of retail cybercrimes are executed through MiTM, brute force attacks and SQL injections since data is exposed at different points. You need to enforce a strong data encryption policy to protect traffic and files from snooping eyes. For starters, you can try file-level encryption that encrypts customer intelligence data in transit. Since speed and efficiency are critical for retail stores, you can opt for AES symmetric encryption that uses one key to encrypt and decrypt data. In contrast, asymmetric encryption puts a bigger focus on proper identity authentication. Encryption is essential as businesses keep moving to cloud applications and regulatory bodies, focusing on how data is transferred between parties.
Apart from system and device-level encryptions, you must also use VPNs and firewalls to protect the network.
4. Vet software and vendors
The success of a lot of businesses can be traced back to the tech stack they’ve built and refined over the years. But with more applications getting access to your business data, it’s important to vet them properly and make sure they don’t become a security liability. According to WEF’s cybersecurity outlook report, 61% of attacks through third parties have been successful.
Considering the efficiency and features offered by these third-party APIs, it’s easy to understand why people rely so much on them. However, companies have to draw a line on data sharing and improve vetting since only a few of these apps focus as much on security as features. If left unchecked, they can creep into the category of shadow IT as well.
Focus particularly on your hosted phone system, social media management, file sharing and automation tools that require critical data to function. Create checklists and periodically audit the vendors and software you connect with your stores.
5. Train employees
According to Verizon’s Data Breach Investigation Report, 82% of cyberattacks involved the human element last year. Your employees are your biggest asset against customer data theft and if you don’t empower them with proper training, they can also become your biggest liability.
Make sure they’re aware of basic security best practices such as complex password management, identifying phishing scams and social engineering attacks. Since data security and privacy standards are evolving fast, it’s important to conduct regular seminars and explain new changes to them. Preventive measures such as access management, data collection and vendor screening are only useful if you have trained and proactive employees.
6. Compare security policies with data protection laws
One of the best ways you can protect your stores and customers is by following the strict data protection and security standards in different markets. GDPR, California Consumer Privacy Act (CCPA) and Canada’s anti-spam legislation (CASL) are some of the most detailed security laws that promote customer privacy. On top of these regulations, you should also stay up-to-date with PCI DSS standards for credit cards.
By employing a zero-trust infrastructure and constantly executing data privacy rules, you can safeguard customer data.
Ready to upgrade your retail store operations?
With Lightspeed’s retail-focused business tools, you can implement smooth operational and employee workflows—all from one place. Watch a demo today.
News you care about. Tips you can use.
Everything your business needs to grow, delivered straight to your inbox.