-
Summary
Attacks against e-commerce applications are by far the leading cause of breaches in this industry. As organizations continue to move their primary operations to the web, the criminals migrate along with them. Consequently, Point of Sale (PoS)-related breaches, which were for many years the dominant concern for this vertical, continue the low levels of 2019’s DBIR. While Payment data is a commonly lost data type, Personal and Credentials also continue to be highly sought after in this sector.
Frequency
287 incidents, 146 with confirmed data disclosure
Top Patterns
Web Applications, Everything Else and Miscellaneous Errors represent 72% of breaches.
Threat Actors
External (75%), Internal (25%), Partner (1%), Multiple (1%) (breaches)
Actor Motives
Financial (99%), Espionage (1%) (breaches)
Data Compromised
Personal (49%), Payment (47%), Credentials (27%), Other (25%) (breaches)
Top Controls
Boundary Defense (CSC 12), Secure Configurations (CSC 5, CSC 11), Continuous Vulnerability Management (CSC3)
I’ll buy that for $1
We are sure it comes as no surprise to anyone in this sector, but the Retail industry is a frequent target for financially motivated actors. Retail as an industry is almost exclusively financially motivated too, so it is only fair. This sector is targeted by criminal groups who are trying to gain access to the wealth of payment card data held by these organizations. Last year’s trend of transitioning from ‘card-present’ to ‘card-not-present’ crime continued, which drove a similar decrease since 2016 in the use of RAM-scraper malware. Personal data figures prominently in Retail breaches and is more or less tied with Payment for the top data type compromised. Certainly, if the attacker cannot gain access to Payment data, but stumbles across Personal data that is lucrative for other types of financial fraud, they will not file a complaint.
To the web with you
Figure 98 provides us with a good view through the display case as it were in the Retail section. Over the last few years (2014 to 2019), attacks have made the swing away from Point of Sale devices and controllers, and toward Web Applications. This largely follows the trend in the industry of moving transactions primarily to a more web-focused infrastructure. Thus, as the infrastructure changes, the adversaries change along with it to take the easiest path to data.44 Attacks against the latter have been gaining ground. In the 2019 DBIR, we stated that we anticipated Retail breaches were about to lose their majority to web-server-related breaches, and in Figure 99 we can see that has in fact occurred. Be sure to play the lucky lotto numbers printed on the back cover. Winner, winner! Chicken dinner!
- 2020 DBIR
- DBIR Cheat sheet
- Introduction
- Summary of findings
- Results and analysis
- Incident classification patterns and subsets
- Industry analysis
- Accommodation and Food Services
- Arts, Entertainment and Recreation
- Construction
- Educational Services
- Financial and Insurance
- Healthcare
- Information
- Manufacturing
- Mining, Quarrying, Oil & Gas Extraction + Utilities
- Other Services
- Professional, Scientific and Technical Services
- Public Administration
- Real Estate and Rental and Leasing
- Retail
- Transportation and Warehousing
- Does size matter? A deep dive into SMB Breaches
- Regional analysis
- Wrap-up
- CIS Control recommendations
- Year in review
- Appendices (PDF)
- Corrections
- Download the full report (PDF)
-
The Web Applications pattern is composed of two main action varieties: the use of stolen credentials and the exploitation of vulnerable web app infrastructure. Figure 100 shows that Exploit vuln and Use of stolen creds are close competitors for first place in the Hacking varieties category and there is not a great deal to distinguish between them from a percentage point of view. In a perfect world, someone else’s data breach would not raise the risk to your own. However, that is increasingly not the case, with the adversaries amassing datastores of credentials from other people’s misfortune and trying them out against new victims.
You hold the key to my heart
Our non-incident data tells us that in this vertical (Figure 101) credential stuffing is a significant problem. While it is slightly below the most common value for all industries this year, it is not likely that people who have so many keys (credentials) will stop trying them on whatever locks they can find.
-
When the bad actors are not using other people’s keys against your infrastructure, they are using unpatched vulnerabilities in your web apps to gain access. Based on the vulnerability data in Figure 102, only about half of all vulnerabilities are getting patched within the first quarter after discovery. It is best not to put those patches on layaway but go ahead and handle them as soon as possible. We know from past research that those unpatched vulnerabilities tend to linger for quite a while if they aren’t patched in a timely manner—people just never get around to addressing them. Our analysis found that SQL, PHP and local file injection are the most common attacks that are attempted in this industry (Figure 103).
-
Data types
If we were to create a ranking of the most easily monetizable data types, surely Payment card data would be at the top. After all, who doesn’t have the urge to try out that brand new credit card and “break it in” when it first arrives? Figure 104 shows us that the attackers feel the same way, and likely want to build upon their sweet gaming rig with someone else’s money. However, Personal data is tied with Payment data as the reigning champion. It’s easy to forget that as web apps increasingly become the target of choice, the victims’ Personal data is sometimes boxed up and shipped off right along with the Payment data as a lagniappe.
Figure 105 lists the top terms in hacking data from criminal forum and marketplace posts. It stands to reason that they would (like any good SEO effort) tailor their terms to what is most in demand. Clearly banking and payment card data is high on everybody’s wish list, although those who are doing this type of trade do not need to go to the lengths of finding a dusty lamp to have those wishes granted.
44 Of course, if you haven't made this transition, your PoS infrastructure renames at risk.