ACID Technologies provides retailers with 24/7/365 dark web monitoring services, while also continuously monitoring the deep web and multiple additional sources. When detecting a threat, ACID sends real-time, actionable alerts with all available information, to enable the targeted business to effectively respond to the threat, mitigate its harmful impact, and potentially foil it altogether.

What makes the retail sector attractive to cybercriminals?

The retail sector is continuing its growth – in physical stores, as well as in online ones.

The National Retail Federation (NRF) has forecasted that the rate of increase in retail sales in 2024 will be between 2.5% and 3.5%, to between $5.23 trillion and $5.28 trillion. According to CapitalOne Shopping, the number of consumers / retail shoppers worldwide is more than 4.76 billion, and is projected to reach 5.6 billion by 2030.

Retailers, even the smaller ones, store valuable payment information and personally identifiable information (PII) of customers. In large retail chains, which have tens to hundreds of millions of customers, the amount of sensitive information is immense. It therefore comes as no surprise that 24% of cyber attacks are directed at retailers (Trustwave), with cybercriminals primarily interested in financial gains. The online stores operated by retailers greatly increase the risk.

What is the potential impact of cyber attacks on retailers?

The average cost of a data breach in the retail sector is estimated at $2.9 million (Trustwave). The severe penalties for noncompliance with data and privacy laws and regulations which retailers are required to obey must also be taken into account.

The damage caused to retailers as a result of a cyber attack is not measured in financial losses alone, but also in the impact on reputation, customer trust and loyalty, which are paramount to their success.

62% of consumers are not confident about the security of their data with retailers; 25% of consumers know that their data is not safe with retailers; 43% of responders reported having been a victim of a fraudulent charge from retailers; and 52% of responders who have been victims of fraud said that the incident negatively impacted their view of the retailer (Digital Commerce).

This stresses the importance of effective cybersecurity in the retail sector.

Which data and privacy laws and regulations are retailers required to comply with, and what are the penalties for noncompliance?

The main laws and regulations applicable to retailers serving customers in the USA and Europe are:

• The European General Data Protection Regulation (GDPR), which governs the collection, storage and processing of data, and is considered by many as setting a global standard. In general terms, the GDPR deals with data protection, and is relevant to retailers in light of the vast amount of sensitive information they hold. One of its main principles is that personal data must be processed “lawfully, fairly, and transparently.” This means that retailers can collect such information only after having received the informed consent of the users, and also provide them with the option of requesting that their personal data which had been collected – be deleted upon request.
  Noncompliance with the GDPR can result in devastating penalties that are potentially catastrophic to a retailer: Up to €20 million, or 4% of the global annual turnover – the higher of the two. 

• The California Consumer Privacy Act of 2018 (CCPA), which gives consumers more control over the personal information that businesses collect about them, and the CCPA regulations, which provide guidance on the law’s implementation. The law applies to any business that collects personal information from California residents, which has 100,000 or more customers and a minimum of $25 million in annual gross revenue. It includes:
  • Consumers’ right to know about the personal information a business collects about them and how it is used and shared
  • The right to delete personal information collected from them (with some exceptions)
  • The right to opt-out of the sale or sharing of their personal information, and
  • The right to non-discrimination for exercising their CCPA rights

  A later amendment added new privacy protections, which came into effect on January 1, 2023, including:
  • The right to correct inaccurate personal information that a business has about consumers, and
  • The right to limit the use and disclosure of sensitive personal information collected about them.

  Civil penalties of up to $7,500 can be imposed on businesses found to have intentionally violated the CCPA for each violation. The maximum fine for other violations is $2,500 per violation.

What are the cyber threats facing the retail sector?

Some of the threats faced by retailers include:

• Phishing and social engineering attacks – phishing attacks are becoming increasingly sophisticated, more personalized, and harder to identify by untrained persons. This becomes an even greater problem when retailers hire a large number of employees for the busy holiday season, for example. A new and concerning trend is vishing – or voice phishing, in which the perpetrators impersonate a member of the company using deep fake technology and trick them into disclosing sensitive information.
  
  
• Ransomware – cybercriminals are increasingly likely to target retailers launching marketing campaigns offering discounts in order to attract a large number of customers, in anticipation of the holiday season, for example. At such times, the encryption of their data is particularly damaging to retailers, who will be more willing to pay the ransom to restore operation, rather than lose customers to competitors.
  
  
• Exploitation of Internet of Things (IoT) vulnerabilities – IoT devices used by retailers, among them POS systems and smart shelves, leave them vulnerable to hacking if not properly protected.
  
  
• Supply chain attacks – as retailers rely on external providers for a variety of services, security gaps in the providers’ systems also place the e-commerce business itself at risk.
  
  
• Insider threats – authorized users who are in fact malicious actors. These can be, for example, employees who feel that they are being treated unfairly or have been unfairly terminated (and whose login credentials have not been deleted from the system). They therefore bear a grudge and are out to exact revenge and/or line their pockets.

What are some of the cyber attacks illustrating the impact of cyber attacks on the retail sector?

• In May 2024, the luxury retails Neiman Marcus was targeted in a cyber attack carried out by a hacker using the name “Sp1d3r”. In the statement issued by the company, it wrote: “In May 2024, Neiman Marcus Group (NMG) learned that an unauthorized third party gained access to a cloud database platform used by NMG. Based on our investigation, we determined that the unauthorized third party obtained certain personal information stored in the database platform. The types of personal information affected varied by individual, and included information such as names, contact information (e.g., email and postal addresses, and phone numbers), dates of birth, Neiman Marcus and Bergdorf Goodman gift card information (without gift card PINs), transaction data, partial credit card numbers (without expiration dates or CVVs), the last four digits of Social Security numbers, and employee identification numbers.” Troy Hunt, founder of “Have I Been Pwned”, analyzed the stolen data and claimed that more than 31 million customer email addresses were exposed, but the company itself claimed that attack affected only 64,472 customers.
  
  
• In September 2024, a number of prominent French retailers were the victims of cyber attacks. These included Boulanger (electronic equipment and household appliances), Cultura (books, games, music, musical instruments, more), Truffaut (gardening supplies, products for pets and for the home), Pepe Jeans (clothing), and according to several media outlets, possibly also additional retailers. The attacks resulted in the theft of data. According to a statement issued by Boulanger, customer addresses were compromised, but not financial data. Cultura, which operates 110 stores in France, confirmed that data from 1.5 million of its customers, including names of customers and their order details, as well as their email addresses, street addresses, telephone numbers, email and postal addresses, were stolen, but not banking data. The perpetrator calling itself “horrormar44” claimed responsibility for the attacks.
  
  
• In November 2024, Ahold Delhaize USA, the fourth largest grocery retail group in the USA and one of the largest in the world, selling to 63 million customers weekly, was targeted by cybercriminals. The attack impacted a number of its national chains, among them Stop & Shop, Hannaford and Food Lion. According to Cybernews, Ahold Delhaize uses an omnichannel customer-centric business model to integrate all of a brand’s channels – including physical stores, apps, websites, social media, and more – which could explain why all of its US supermarket chains have been experiencing IT difficulties since last week. Grocery shoppers reported empty shelves at numerous locations in the New England area; it is believed that this was the effect of the attack on truck shipments.

ACID helps retailers maintain business continuity, preserve their customers’ trust and build customer loyalty. Clusters of robots are deployed, sophisticated algorithms implemented, avatars injected and crawlers used, imitating regular user activity, to continuously monitor the dark web and numerous additional sources in order to detect signs of impending attacks while still in their planning stage, attacks that are in progress, and leaked data indicating a breach. Client-specific keywords are used, and language/s are chosen as relevant, to provide optimal results. Once a threat is detected, ACID sends real-time alerts to the targeted retailer, enabling it to implement countermeasures to diminish the effects of the attack. In some cases, the real-time alerts and precise information enable the targeted business to thwart the attack before it is actually launched.