NEW YORK – A new report contends more than 50 percent of retailers have failed to meet the Payment Card Industry’s Data Security Standards, putting both them and their customer at risk this Holiday Season to hackers.
The 2016 Biggest Holiday Retailers Cybersecurity Report, taken by SecurityScorecard, provides a comprehensive analysis exposing frightening cybersecurity vulnerabilities across 48 of the biggest U.S retailers. As sales continue to shatter records, major retailers are failing to keep up with critical processes needed to protect shoppers from being compromised.
Issues discovered include malware infections, use of end-of-life products, weak network security and low security awareness among employees.
“In my previous role as a Chief Information Security Officer with a large retailer, this time of year is always tough for security professionals. With more consumers, more transactional data, and more credit cards to steal, the holiday shopping season is an ideal time for a hacker to attack,” said Sam Kassoumeh, Co-Founder and COO of SecurityScorecard. “Our analysis indicates that even the most secure retailers could be susceptible to a breach. Additionally, previously installed and dormant malware could be activated during this time of year to capitalize on a larger score. If a hacker decides to take action while organizations scramble to keep up with an uptick in sales activity, attacks are more likely to be successful.”
Among the report’s other key findings are:
100% of the Biggest Holiday Retailers were found to have multiple issues with domain security, which increases the risk of hackers impersonating a retailer’s site and falsifying a checkout form to obtain a user’s credit card information.
Over 90% of the Biggest Holiday Retailers have an SPF Record missing, which increases the risk of an email spoofing attack reaching consumers.
Nearly 80% of the Biggest Holiday Retailers may not be using intrusion detection or prevention systems to monitor all traffic within the cardholder data environment.
In October 2016, 83% of the Biggest Holiday Retailers had unpatched vulnerabilities.
All bottom performing holiday retailers have a D or lower in Network Security, suggesting that their network may have an unaccounted access point ready to be exploited.
62% of the Biggest Holiday Retailers were using end-of-life products in the last month, which make them more susceptible to a number of attacks or exploits.
43% of the Biggest Holiday Retailers were infected with malware between April and June 2016.
In addition to system vulnerabilities, SecurityScorecard also found many of the Biggest Holiday Retailers also had employees who lacked training in basic security best practices.
“The Biggest Retailers’ last place ranking in Hacker Chatter and Social Engineering complicates things further for their internal security. Low Social Engineering scores are indicative that an organization’s employees are vulnerable to attacks that prey on a lack of knowledge,” said Kassoumeh.
The 2016 Biggest Holiday Retailers Cybersecurity Report analyzed the security ratings of the 48 biggest U.S. retailers over a seven-month period between April 1 and October 31, 2016. These retailers were selected from the NRF’s 2016 Top 100 Retailers list. The conclusions and rankings featured in the report are based on data derived from SecurityScorecard’s patented security rating platform.
For more information about these findings, download the full report.
