A Look Ahead: POS Attacks and Skimming Continue to Threaten Retailers in ‘17

February 22, 2017 by Michael Bruemmer

The point-of-sale malware-fueled breach of Eddie Bauer compromised nearly 2.2 million customer records — and put the outdoor clothing and accessories retailer solidly at the top of the list of business data breaches recorded by the Identity Theft Resource Center in 2016.

But Eddie Bauer was far from the only retail organization to have their systems compromised last year. Breached companies ranged from small online retailers to international hospitality concerns. Breaches with the highest number of known records compromised included the following:

  • California-based outdoor equipment retailer Bailey’s Inc. reported 250,000 customers may have had their personal information (names, addresses, phone numbers and email addresses), credit card information (card numbers, CVV numbers and expiration dates) and log-in credentials stolen between Dec. 1, 2011, and Jan. 26, 2016.
  • Utah-based NLU Products/BGZ Brands, whose properties make smartphone accessories and outdoor gear, notified the Washington State attorney general’s office that it had notified more than 2,500 Washington residents of a breach that compromised names, shipping and billing addresses, credit and debit card numbers and credit security codes. According to ITRC data, the total number of compromised records has exceeded 114,000.
  • QVC reported that tracking technology used to transmit data between the online/TV retailer and companies that provide it with services unintentionally sent website visitors’ email and password information, rather than anonymous data as intended. The total number of affected records is not known.

Retail under fire

Cyberattacks on businesses represented 44 percent of all the 2016 data breaches recorded by the Identity Theft Resource Center as of mid-December; 432 breaches compromised more than 5,649,046 records. A retail breach constituted the largest number of compromised records for the category, and was among the 10 largest breaches recorded for all categories, according to ITRC data.

While 2016 may have had fewer headline-grabbing retail breaches than we saw in 2015, the new year is shaping up to be one of particular risk for retailers. In our 2017 Data Breach Industry Forecast, Experian Data Breach Resolution predicts retailers will continue to come under point-of-sale attacks, despite the implementation of the EMV chip and PIN liability shift.

Although the liability shift was intended to, in part, encourage wider adoption of the more secure EMV chip technology, just 37 percent of American retailers have POS card readers capable of processing chip technology. This uneven adoption, along with the continuing ingenuity of cybercriminals in exploiting new tactics and targeting new industries, means payment attacks will continue to be a significant risk for retailers in 2017. Additionally, these factors indicate cyberattackers may find a lucrative opportunity in shifting their focus from big retailers, like Eddie Bauer or Target, to smaller franchised stores and others with distributed infrastructure.

We also foresee use of the skimmer — a long-favored tool of cybercrooks — expanding in scope. The rise of self-checkout terminals in retail locations makes it seem likely cyberattackers would look to exploit this opportunity, and skimmers would allow them to do so on a much larger scale than the individual attacks the devices have been used for in the past. Coordinated and widespread skimming operations are likely to emerge, raising the likelihood that at least one major national retailer will suffer a significant skimming attack in 2017.

Retailers continue to be at risk for data breaches and other forms of cyberattack. They can mitigate risks by speeding up plans for EMV chip and PIN adoption, maintaining security best practices, staying abreast of and preparing for emerging risks, and having a vibrant data breach response plan in place.

Legal Notice: The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.