In the course of two weeks, the retail industry has been pummeled with two massive data breaches and a high-profile data leak, contributing to the uneasiness consumers already feel when it comes to retailers and their ability to safeguard their information.
Security researchers on April 3 disclosed a massive data leak at Panera Bread, which is believed to have affected more than 37 million customer records by exposing customer names, email addresses, physical addresses, birthdays and the last four digits of customers' credit card numbers, reports Krebs on Security.
That disclosure came eight months after Panera Bread had been informed of the leak by security researcher Dylan Houlihan but did not develop a fix until the information was publicly disclosed, according to Krebs.
And on April 1, Hudson Bay Company, the parent company of Saks Fifth Avenue and Lord & Taylor, issued a statement that it had suffered a massive data breach, which affected approximately 5 million credit card numbers, although that number could rise.
But the biggest attack to date this year is Under Armour's mega-massive breach of 150 million users for its MyFitnessPal app. The fitness clothing retailer, which made the disclosure two weeks ago, not only topped the breach charts this year for the retail industry but all industries.
Retail ranks second in industry attacks
The retail and accommodations industries combined ranked No. 2 in breaches, representing 15% of the 1,935 breaches last year, according to Verizon's 2017 Data Breach Investigations Report.
Ninety-six percent of cyber attacks in the retail industry are driven by threat actors looking for financial gain, with 57% of the data compromised falling into the payments category, according to the report.
"Payment information is the first target they go after in retail. Payment card information is very liquid and easy to sell on the Dark Web. Private data is not as valuable as credit card and payment card data," Andrei Barysevich, advisor to Gemini Advisory told Security Now.
Panera's data leak, for example, while massive, offers very little direct value for cybercriminals, Barysevich said. In order to make the data valuable, an attacker would have to use the gleaned Panera Bread data as a tool for social engineering or a phishing attack, which in turn would then potentially yield a payday for the attacker, he explained.
Not only does the retail industry tend to have a treasure trove of credit card and payment data, but Barysevich adds the industry tends to be less IT security savvy than other industries, such as the finance industry, and as a result has a tougher time detecting and fending off attacks.
"Finance companies have more experience defending against attacks and have been doing it longer than the retail industry," Barysevich said. "Retailers also tend to spend less money on security unless they have a breach."
Daniel Miessler, client advisory services director at IOActive, told Security Now that he has found that many companies tend to spend their time and resources defending themselves against auditors rather than attackers.
"They end up vulnerable to the latter because of it," Miessler said.
The common thread that binds
The common thread that ties together mass data breaches, and the list runs the gamut of targeted industries, is the centralization of large quantities of sensitive data used for account access or payments, George Avetisov, CEO of HYPR, told Security Now.
"When there's a large central repository of data that malicious third parties can sell, buy and reuse, it's not a matter of if the data will be hacked, it's a matter of when," he said.
Large service providers can abandon the risky practice of holding vast amounts of data and decentralize credentials, such as biometrics, PINs, passwords and bankcards, Avetisov advises. He noted decentralized authentication may keep sensitive data safely encrypted and isolated on the end user's mobile device.
"This removes the target and forces hackers to move from a wholesale fraud model to a markedly unsaleable retail one, whereby he or she must go from device to device in the hopes of possibly obtaining one set of credentials," Avetisov added. "The best prevention is to remove the target that is hit time and again."
— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance, and The Motley Fool.