When Scarborough, Maine-based Hannaford Bros. suffered a network breach in 2008 that exposed the payment data of 4.2 million customers, industry players vowed to tighten their data security. For its part, Hannaford reportedly spent several million dollars to replace the PIN pads at all of its stores so that it could encrypt bank-card numbers at the point of entry. The retailer also installed real-time security-monitoring software. So far, at least, these changes have prevented further breaches at the company.
But five years later, cyberattacks seem to be more common than ever. In the first quarter of this year alone, Phoenix-based Sprouts Farmers Market said it had malware planted on point-of-sale (POS) equipment at 19 of its 151 stores.
Bashas' "located and removed a highly sophisticated piece of malware that has never been seen before in the industry," according to a company statement, though not before the malware accessed consumer payment data from some of the Chandler, Ariz.-based chain's more than 130 stores. And St. Louis-based Schnuck Markets acknowledged at the end of March it had been "the victim of a cyberattack" that stole payment-card data from some of its 100 stores.
The fact is, cybercrime is on the rise: According to an October 2012 study of 56 companies by Ponemon Institute, the businesses suffered an average of 1.8 successful cyberattacks a week in 2012, up 42 percent from the previous year. The cost of preventing more successful attacks, as well as of dealing with the results of successful hacks and subsequent loss of business, averaged $8.9 million per company, a 6 percent increase from 2011.
But lawsuits can increase the cost. Schnuck Markets said in a court filing the data breach at its company could cost the company $80 million in Illinois alone if a class action lawsuit involving as many as 500,000 consumers moves forward, the Chicago Tribune reported. A Schnuck spokeswoman said the lawsuit was without merit.
Some criminals are interested in the sort of personal data–such as email addresses for use in phishing scams–that can be reaped by hacking into loyalty-card programs. But bank card numbers and personal identification numbers (PINs) remain the most highly sought-after data. An increase in the use of credit and debit cards with point-of-sale devices, online and via mobile, provides more data and more points of entry for criminals to access.
One reason for the rise in successful attacks, says Tom Kellermann, vice president of cybersecurity at Trend Micro, a provider of cloud security services with U.S. headquarters in Cupertino, Calif., is that "organized crime has moved heavily into hacking. This is evidenced by the decline in street crime globally, as noted by Interpol."
At the same time, "retailers are suffering from the same kinds of problems that the entire economy is suffering from: miseducation, lack of good security training, poor software that is critical to conduct business, and reduced funding for IT departments," says Steven Aiello, a systems support manager with Ann Arbor, Mich.-based Online Tech, a provider of data centers and security.
Although cybercrime is a growing problem, retailers shouldn't assume it's insurmountable. By complying with basic security safeguards, retailers can stave off significant threats. "The best thing retailers can do is address low-hanging fruit," Aiello says. "You don't want to be the slowest gazelle in the pack."