Mobile

11/28/2017
02:55 PM
50%
50%

Retail and Hospitality Breaches Declined Over Past 2 Years

A drop in publicly disclosed breaches for the two industries is due in part to fewer point-of-sale breaches.

Publicly disclosed breaches in the retail and hospitality industries have fallen to less than five occurrences per month, down from double-digit figures over the last two years, a new report released today reveals.

This drop is attributed in part to merchants, hotels, and restaurant chains retooling their point-of-sale (POS) systems to accept EMV or chip payment cards, says Stephen Boyer, CTO and co-founder of BitSight Technologies, which authored the report.

"EMV adoption has really accelerated since the Target breach and that could partly be the reason why the total number of breaches is trending down," Boyer says. "You hear a lot about breaches all the time, so I was not expecting the total trend to be going down."

During the January 2015 to January 2017 period analyzed in BitSight's report, the total combined number of publicly disclosed breaches in the retail and hospitality industries reached 320. But over the span of two years, it fell from 186 breaches in 2015, to 131 in 2016, with just three reported breaches in January.

POS systems were the largest vector of attacks for the hospitality industry, accounting for nearly 40% of the 181 breaches hotels and restaurants faced over the two-year period, according to BitSight's data. The frequency of POS attacks fell sharply from eight a month in 2015, to as few as two toward the end of 2016.

Web apps, meanwhile, were the largest targets of attack in the retail industry, accounting for nearly 30% of the 139 breaches encountered during that period. During the first half of 2016, the retail industry had a slight spike in publicly disclosed Web app attacks, but no POS attacks, according to BitSight data. And in the first quarter of 2016, the hospitality industry got hit with six publicly disclosed Web attacks at a time when its POS attacks dipped.

"I have no doubt that EMV cards are forcing some cybercriminals to Web apps. I think that is the only explanation that makes a lot of sense," says Avivah Litan, a Gartner analyst.

Chip cards are less lucrative and more work for cybercriminals to deal with, Litan says. EMV cards do not carry users' data on a magnetic strip that can be skimmed and sold on the Dark Web, and specialized equipment is needed to pull information off the chip payment card, she notes.

Given those challenges, hitting a Web app and intercepting an e-commerce transaction may be easier for cyberthieves, according to BitSight's Boyer.

He adds that although companies are getting better at protecting their customers' data and transactions, cybercriminals remain highly motivated, and data breaches against the retail and hospitality industries aren't likely to subside.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1664
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
CVE-2018-1669
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
CVE-2018-1539
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.
CVE-2018-1560
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a tr...
CVE-2018-1588
PUBLISHED: 2018-09-25
IBM Jazz Foundation (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resourc...