Why retailers keep getting hacked

Australian retailers are grappling to deal with becoming the new target in an IT security “cold war” against attackers who have refocused their sights away from financial services firms and onto more lucrative prey.

Over the last few years, attackers have managed to successfully infiltrate big US retailers like Target, Neiman Marcus, Home Depot, and Staples, among others. More locally, retailers including David Jones, Kmart, Catch of the Day, and Aussie Farmers Direct suffered similar fates.

Recent research by the NTT Group shows the retail industry experienced almost three times more attacks than the financial services industry in the past year.

Trend Micro put retail above financial services in its list of the industries most impacted by data breaches from 2005-2015 [pdf]. According to its research, reports of data breaches skyrocketed in the retail industry in 2010 and have remained at high levels since.

“It started getting really tough for [attackers] to get something out of [financial services firms] so they went ‘who else has customer data, PII etc - oh hello retailers’”, Woolworths CISO Pieter van der Merwe told this week’s AISA 2016 conference.

“Financial institutions have really hardened their game, they’ve spent lots of money on prevention and detection, so the bad guys just go ‘ok I’ll try another target. Let’s go for retail, there’s a lot of PII data there’”, Myer security and risk manager Richard Heron said.

“The malware that brought down Target was available on the dark web for around $500. If I’m a bad guy and I can get malware that can go to hundreds of thousands of PoS systems for only $500, I’m having a piece of that.”

Attackers have pinpointed point-of-sale systems as the weakest link in the retail chain; according to Verizon’s 2016 data breach report, 64 percent of breaches in the retail industry that contained data loss were caused by point-of-sale intrusions.

Trend Micro attributes the growth of attacks in the sector to the development of PoS RAM scrapers in around 2007.

“A credit card number sells for $0.80 on the black market at the moment. A credit card with full details sell for $8. So it’s relatively easy to make money from,” Kmart IT security and risk executive Endre Bihari said.

“So [if I was an attacker] I would go for the weakest link I perceive, which is the point of sale. But it’s not just that - there’s a whole lot of things people can utilise to get that information.”

It also doesn’t help that the retail industry has been somewhat infamous for a certain level of inertia towards technological innovation.

“We haven’t really kept up with the basic things we should have been doing and now we’re playing catch up - it’s unwinding 15 years of bad IT management and playing with guys that are a lot more advanced than we are at the moment,” Woolworths’ van der Merwe said.

This heightened threat has prompted the local retail industry to collaborate more and share detail on threat intelligence to build collective muscle against attackers.

A new ‘retail information security forum’, hosted by Myer, has now met twice. Around 15 different retailers are involved in the forum, which is intended to share ideas, approaches, and experiences on IT security.

“We do compete at the cash register, but we’re all fighting the same war on cyber criminals,” Heron said.

“One of the things I saw when I came to Woolworths 18 months ago was that we were very insular. It’s nice to be out in Bella Vista [in Sydney's north-west], it’s a great environment, you’ve got everything you need, but it becomes a problem if you don’t interact with anybody else in this space,” van der Merwe said.

“It’s critical to share not only amongst ourselves but with others. If you talk to the guys in banking or in government, they’re suffering the same stuff - they’ve seen the same phishing attacks, the same malware coming through.

“We could do more, at a formalised information sharing level, but we’re getting there.”

The contractor risk

Target was infamously brought down by malware introduced via one of its contractors who had been duped by a phishing email.

The Citadel malware stole the contractor’s log in details to obtain access to Target’s contractor services portal, later breaking into the wider Target network and deploying the BlackPoS RAM-scraping malware.

Transient workforces are inherent to the retail industry - the Australian sector has a high 38 percent rate of casual employment compared to the entire industry average of 26 percent - and it's one of the areas that poses the greatest threat..

For van der Merwe, it’s not the supply chain, corporate systems, or any other area of his IT environment that keeps him up at night - it’s the retailer's 200,000-odd casual staff.

“I’ve got a transient workforce coming into my retail environment, working on my PoS systems, then going away. We cannot always assume that they are loyal to the brand," the CISO said.

Part of his solution to this risk has been to strip away technological language from policies and engage with staff on a personal level.

“We’re teaching them them things that they can take home and show their family about how to be safe online. Our new acceptable use policy, which is rolling out at the moment, has cartoons to show you what to do, as well as words," he said.

"It’s plain simple language that you and your mum can talk about at the dinner table.”

Embedding a security mindset within the worker base is crucially important to ensuring your business does not become the next Kmart or David Jones, all three CISOs said.

"No-one wants to be front page news," Myer's Heron said.

"Your credit card data and PII data that we hold is extremely important. We don't want to lose credibility in the market, we don't want to get fined, or to lose our compliance - there's so many little facets that come into play that show your data is very important."