Retail
NAICS 44-45

Summary

The Retail industry continues to be a target for Financially motivated criminals looking to cash in on the combination of Payment cards and Personal information this sector is known for. Social tactics include Pretexting and Phishing, with the former commonly resulting in fraudulent money transfers.

Frequency

725 incidents, 165 with confirmed data disclosure

Top Patterns

System Intrusion, Social Engineering, and Basic Web Application Attacks represent 77% of breaches

Threat Actors

External (84%), Internal (17%), Multiple (2%), Partner (1%) (breaches)

Actor Motives

Financial (99%), Espionage (1%) (breaches)

Data compromised

Payment (42%), Personal (41%), Credentials (33%), Other (16%) (breaches)

Top IG1 Protective Controls

Security Awareness and Skills Training (14), Secure Configuration of Enterprise Assets and Software (4), Access Control Management (6)

The first noteworthy item in the At-a-Glance table is the difference in the number of incidents versus the number of confirmed data breaches. The main cause of this was a large number of DoS attacks (409) that were launched against this sector. And while System Intrusion was the top pattern for breaches (Figure 120), it came in second place for incidents where no breach could be confirmed (177 incidents in this pattern, 69 of which were confirmed breaches). 

Our main point here is: Don’t let the low number of breaches fool you—this sector remains a target. 

The System Intrusion pattern was prevalent, and tells the story of the common coupling of the Use of stolen creds with dropping Malware to capture application data. The Social Engineering pattern is a close runner up in this race, with Pretexting—where the adversary develops an invented scenario to get their target to take the bait (usually followed by a money transfer of some type)—being more common than we usually see in other industries (Figure 121). Don’t get us wrong, the Phishing lure is still effective here. It is difficult to determine if the targeting of employees via Pretexting is a sign that criminals are having to work harder for the money, or if it is just simpler for the attackers to dupe employees into committing fraud on their behalf. 

Unsurprisingly, the top data types compromised include Payment card data (which is largely what makes this industry so very attractive to Financially motivated criminals), Personal data (also useful for various kinds of financial fraud), and Credentials (Figure 122). We’ve said it before, and we’ll say it again—everyone loves credentials. Credentials are the glazed donut of data types.