Retail (NAICS 44-45)

2023

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

Frequency		406 incidents, 193 with confirmed data disclosure
Top patterns		System Intrusion, Social Engineering and Basic Web Application Attacks represent 88% of breaches
Threat actors		External (94%), Internal (7%), Multiple (2%), Partner (2%) (breaches)
Actor motives		Financial (100%), Espionage (1%) (breaches)
Data compromised		Payment (37%), Credentials (35%), Other (32%), Personal (23%) (breaches)
What is the same?		Retail organizations continue to be lucrative targets for cybercriminals looking to collect Payment card data.
Summary		While the same three patterns dominate this industry as many others, Retail has the added bonus of being targeted for its Payment card data in addition to common threats like ransomware and Basic Web Application Attacks.

Can you breach me now?

Some people turn to the Retail sector as a form of therapy—and we on the DBIR team probably have more dragons, guitars and cuckoo clocks (don’t ask) than we really need. Sadly, criminals have been enjoying their own “retail therapy” by targeting this sector for many years. They continue to do so by capitalizing on this industry’s heavy use of payment data.

Top actions/top vectors

When it comes down to how these breaches and incidents occur, it is a roundup of the usual suspects, with both Ransomware and Use of stolen credentials among the top, along with Email and Web applications for vector. However, there is a relatively unique addition to some of these actions—the “Export data” and “Capture app data.” This is also one of the few industries where we see “Other” creep up as one of the top actions (Figure 60), and that’s largely because there’s a variety of secondary actions that actors are using to either deploy their ransomware or find a way to collect payment cards.

If you are in the Retail world and you operate an e-commerce platform, then this section is especially worth paying attention to. Within Retail, we often find the “Magecart”⁵¹-type actors. These criminals find ways of embedding their malicious code within your site’s credit card processing page. This allows them to quietly and subtly abscond with your customers’ payment data without actually affecting the functionality of your website. Currently, these attacks represent about 18% of Retail breaches. While we freely admit that we don’t always know how these Actors were able to access the web application and upload their bad JavaScript, we have seen them use several different tricks (Figure 61).

Stolen credentials: $5. Domain hosting: $12. Malicious JavaScript: $50. Snagging all the fullz: priceless.

Considering the function of this industry, it is hardly surprising to see Payment card data as one of the most common data types breached, accounting for 37% of breaches this year. If you look at Figure 62, you can readily observe that Payment card data has been trending downward since its high-water mark in 2018. However, we are seeing a relatively large increase in Payment card data stolen as compared to last year. Although stealing payment cards is a tried-and-true method of monetizing data, sometimes the threat actor simply wants a quicker payday. Ransomware has definitely skewed some of the data in this sector, but it seems as if Payment card data is still extremely valuable and will continue to remain a popular target.

This begs the question: where is this data being stolen from? Because it’s difficult to protect something if you don’t know what you are protecting. Luckily, we have some data that may help. In our analysis of just payment card breaches in Retail, we found that 70% of breaches originated from Web applications, 17% from Gas terminals and 8% from PoS Servers. This once again illustrates how e-commerce has made it way too easy to get what you want, including stolen credit cards. If you are looking for some added incentive, it’s worth mentioning that by the time our 2024 DBIR is published, you should all already be compliant with Payment Card Industry (PCI) Data Security Standard (DSS) 4.0.⁵²