Retail
NAICS 44-45

Please provide the information below to view the online Verizon Data Breach Investigations Report.

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

  • Frequency

     

    629 incidents, 241 with confirmed data disclosure

    Top patterns

     

    System Intrusion, Social Engineering and Basic Web Application Attacks represent 84% of breaches

    Threat actors

     

    External (87%), Internal (13%) (breaches)

    Actor motives

     

    Financial (98%), Espionage (2%) (breaches)

    Data compromised

     

    Credentials (45%), Personal (27%), Other (25%), Payment (24%) (breaches)

    Top IG1 protective controls

     

    Security Awareness and Skills Training (CSC 14), Access Control Management (CSC 6), Secure Configuration of Enterprise Assets and Software (CSC 4)

    What is the same?

     

    These organizations continue to be impacted by a variety of threat actors that leverage a range of tactics such as deploying malware to capture credit cards being processed by webforms and more common tactics like phishing.

    Summary

     

    The Retail industry is experiencing the same types of attacks they suffered last year; Use of stolen credentials, Phishing and Ransomware.

  • Patterns

     

    5-Year difference

     

    3-Year difference

    Basic Web Application Attacks

     

    No change

     

    Less

    Social Engineering

     

    No change

     

    Greater

    System Intrusion

     

    Greater

     

    No change

  • Pattern

     

    Difference with peers

     

     

    System Intrusion

     

    Greater

     

     

    Social Engineering

     

    Greater

     

     

    Basic Web Application Attacks

     

    Less

     

     

  • Our society, indeed the entire globe, has seen an astounding amount of change over the last couple of years. The Retail industry, on the other hand, has not, at least when it comes to breaches. As tempting as it was to simply cut and paste our findings for this industry from last year’s report, we bravely refrained from doing so. Nevertheless, while the needle has not moved very much from when we last looked at it, there are a few noteworthy findings. 

    Social attacks, roughly split between Phishing (53%) and Pretexting (47%), have been on the rise over the last few years in the Retail industry: 7% in 2016, 13% in 2018, 29% this year. This accounts for Social Engineering’s position in the top three patterns. Therefore, as one might expect, Credentials are the top data type compromised in this vertical. In many cases those Credentials are later utilized to hack into servers and load ransomware (47%). Then the criminals sit back and wait for a big payday. 

    One interesting finding this year is that the Malware enumeration of “Capture app data” in the Retail industry is 7 times higher than the other industries. This goes some way to explain why the System Intrusion pattern is ranked at first place in this industry. The “capture app data” functionality is one that we commonly see in Magecart-type attacks, in which the attacker will typically exploit a vulnerability, use stolen credentials to gain access to an e-commerce server and then just chill there and take a little sumpin’ sumpin’ for themselves, almost always payment card data. 

    Finally, when a company in the Retail industry learns that they have become a victim, it’s via fraud detection mechanisms (e.g., Common Point of Purchase (CPP) or law enforcement) more than any other industry. This is perhaps a rather intuitive finding given the fact that retail is responsible for so many transactions, but it is noteworthy nonetheless. 

Let's get started.