NAICS 44-45

  • Summary

    The Retail industry continues to be a target for Financially motivated criminals looking to cash in on the combination of Payment cards and Personal information this sector is known for. Social tactics include Pretexting and Phishing, with the former commonly resulting in fraudulent money transfers.


    725 incidents, 165 with confirmed data disclosure

    Top Patterns

    System Intrusion, Social Engineering, and Basic Web Application Attacks represent 77% of breaches

    Threat Actors

    External (84%), Internal (17%), Multiple (2%), Partner (1%) (breaches)

    Actor Motives

    Financial (99%), Espionage (1%) (breaches)

    Data compromised

    Payment (42%), Personal (41%), Credentials (33%), Other (16%) (breaches)

    Top IG1 Protective Controls

    Security Awareness and Skills Training (14), Secure Configuration of Enterprise Assets and Software (4), Access Control Management (6)

  • Figure 120
  • The first noteworthy item in the At-a-Glance table is the difference in the number of incidents versus the number of confirmed data breaches. The main cause of this was a large number of DoS attacks (409) that were launched against this sector. And while System Intrusion was the top pattern for breaches (Figure 120), it came in second place for incidents where no breach could be confirmed (177 incidents in this pattern, 69 of which were confirmed breaches). 

    Our main point here is: Don’t let the low number of breaches fool you—this sector remains a target. 

    The System Intrusion pattern was prevalent, and tells the story of the common coupling of the Use of stolen creds with dropping Malware to capture application data. The Social Engineering pattern is a close runner up in this race, with Pretexting—where the adversary develops an invented scenario to get their target to take the bait (usually followed by a money transfer of some type)—being more common than we usually see in other industries (Figure 121). Don’t get us wrong, the Phishing lure is still effective here. It is difficult to determine if the targeting of employees via Pretexting is a sign that criminals are having to work harder for the money, or if it is just simpler for the attackers to dupe employees into committing fraud on their behalf. 

    Unsurprisingly, the top data types compromised include Payment card data (which is largely what makes this industry so very attractive to Financially motivated criminals), Personal data (also useful for various kinds of financial fraud), and Credentials (Figure 122). We’ve said it before, and we’ll say it again—everyone loves credentials. Credentials are the glazed donut of data types.

  • We’ve said it before, and we’ll say it again—everyone loves credentials. Credentials are the glazed donut of data types

  • Figure 121
  • Figure 122

Let's get started.