Search
Integrated retail management system for omnichannel retailing in modern business environment

Retailers’ guide to stronger cyber security

Find out how retailers can best protect their networks, customer data, POS systems, and endpoints

2024.10.07Dheeraj Rawal

The backdrop

This blog covers how digital transformation is changing the retail industry as brands want to woo customers. But digitalization invites newer risks. Find some notable examples from the retail industry where companies have lost millions of dollars owing to disruption caused by attacks. Explore which security solutions can be deployed to improve security posture, compliance, and resilience. 

The fast-paced transformation in the retail industry

A diagram depicting the total retail sales worldwide from 2021-2026 (in Euros trillion).

The digital transformation in the retail industry is moving upwards as software investments continue to pour in. The global IT investments stood at USD 196.5 billion in 2023 and are poised to grow by 6.5% in 2024, surpassing USD 209 billion.1

With these IT investments, retailers aim to reduce inventory costs, improve customer satisfaction, streamline/automate inventory control, enhance forecasting, improve cyber security, and more. At the end of the day, retailers want technology to fuel their top lines, which is evident. Global retail sales have been growing each year. The year 2024 alone will account for more than USD 30.5 trillion (Euro 27.7 trillion).2

Rich customer experience underpinned by technology

As the modern customer prefers browsing, discovering the brand, and shopping both online and offline – retailers are doubling down on technology. Shoppers like to be chased by brands on multiple channels. This compels retail brands to have an omnichannel presence, offering a consistent experience across all channels. This also includes providing a personalized experience. 

For instance, many retailers are leveraging Artificial Intelligence-based personalization to garner more clicks, increase customers’ time in the store, and improve net promoter scores. 

How Walmart is doing it with GenAI

US-based retail giant Walmart has invested in Generative Artificial Intelligence (GenAI) to enhance the digital shopping experience for its customers. Walmart is tapping into GenAI to make searching and discovering products a breeze for customers.

This aims to improve customer interaction and overall satisfaction.3 More retailers are adopting technologies such as chatbots, e-commerce platforms, smart shelves, mobile applications, voice-assisted shopping, AI assistants, contactless payments, in-store robots, and more.

However, as technologies transform the retail industry, they also bring to the fore new concerns such as cyber security risks. Retailers become more susceptible to cyber attacks due to increased technology use. Imagine this scenario: in a bid to have a digital presence, a brick-and-mortar store launches mobile and web applications. By launching these applications, this store will require the following services in the backend:

  • Payment gateways to facilitate transactions
  • Database management to store customer data and product information
  • Cloud services to host web applications, mobile backend, databases, and more
  • Application Programming Interface (API) to manage communication between different services
  • Data analytics to analyze marketing, sales, and other customer data 
  • User authentication services to manage user identities

Full-scale transformation increases the entry points

This simple scenario gets complicated with full-scale digital transformation, leading to a rise in digital entry points. Through these entry points, bad actors try to gain access and hack systems, causing data breaches, ransomware attacks, and other security incidents. Accelerated technology adoption without robust security measures makes an organization vulnerable, waiting for the floodgates to open.

The retail industry happens to be one of the most targeted industries – about 1 in every 4 attacks is on a retail organization.4

For example, in 2023, about 69% of the retail organizations faced a ransomware attack. More than 50% of the ransom demands exceeded USD 1 million. In one-third of the incidents, attackers demanded USD 5 million or more.5

Some other common attacks are credential phishing, malware, distributed denial of services (DDoS), and more. In general, the cost of an average data breach in the retail industry stood at USD 2.96 million in 2023 and has increased by 18% to reach USD 3.48 million in 2024.6

Story of an attack on a fashion retailer

In 2022, online fashion retailer Shein’s parent company Zoetop faced a severe data breach where details of more than 39 million Shein customers were stolen worldwide. The details of customers such as names, email addresses, and financial information related to credit cards, passwords, etc. were reportedly stolen. 

These customer details were sold on the dark web for about two years. To make matters worse, the company denied the scale of the attack for some time and swept the matter under the rug. When the story went public and authorities discovered it, the company was fined USD 1.9 million for failing to protect customer data of a financial nature since this type of data falls under the purview of the Payment Card Industry Data Security Standard (PCI DSS).7

In the investigations, it was discovered that the company had weak security measures, including a lack of password management system, API security, security monitoring system, and incident response plan. The retailer then took measures to ramp up its security posture. 

This incident shows the criticality of the security measures to avoid incidents that lead to disruption, revenue losses, non-compliance, legal penalties, and reputational loss. Reputation is a major asset for any brand. More than half of the brand’s market value can be attributed to reputation, which explains why companies experience a decline in brand value and revenues after a negative event.8
 

How retailers can protect their key systems

To that end, what systems and assets do retailers have to protect? What are some security solutions that they can use?

1. Customer data: 

Customer data that includes personally identifiable information (PII) and financial information needs the utmost protection because it is a lucrative target for bad actors. Additionally, there are norms such as PCI-DSS for companies handling payment-related data. PCI DSS requires organizations to comply with about 12 main requirements such as network security, data encryption, access management, and more.9 

Secure Access Service Edge (SASE) is a security solution that can help retailers protect customer data. SASE prevents data loss by identifying and blocking sensitive data from being exfiltrated. It also offers data encryption, which can make the data unusable to hackers even if it’s stolen. Other capabilities that SASE offers are intrusion prevention, secure web gateways, and web firewalls. 

If companies use Customer Relationship Management (CRM) tools, then they need to have role-based access controls, multi-factor authentication, data encryption, and other such measures to secure customer and company data. These capabilities are also offered by SASE security.

2. Website, mobile applications, and e-commerce platforms

Retail websites, mobile apps, and e-commerce platforms handle sensitive transactions, customer interactions, and personal data. They are vulnerable to attacks such as SQL injections, cross-site scripting (XSS), and API misuse, which can lead to data breaches or service disruptions.

Security solutions such as Web Application Firewall (WAF) and SASE (multi-factor authentication and firewall security) block malicious traffic targeting the website or mobile apps. Moreover, retailers can secure their communication between apps and backend systems with API security. Organizations also need to check for existing vulnerabilities by conducting penetration testing and fixing these gaps before they are exploited.

3. Networks and servers

A retailer’s network connects its Point of Sale (POS) systems, databases, servers, and cloud infrastructure. Servers and IT infrastructure also host critical applications, databases, and customer data. Any breach in the IT infra or network can spread quickly and cause major operational disruption.

A microsegmentation security solution can segment networks into smaller parts and apply separate security policies. This isolates the attacker to one segment and contains the attack. A SASE solution can offer robust firewall security and ensure unauthorized users cannot access critical resources. Intrusion detection systems can also be used to detect and block unauthorized access attempts or suspicious network activity.

In addition to networks, other IT infrastructure must also be protected for business continuity. Any disruption here can cause an outage and downtime. For example, in 2022, a Germany-based international retailer, Metro AG faced an attack that caused massive IT outages across multiple stores.

The company assumed that it was an IT problem, and only later it was discovered that the systems were hacked, which put electronic tags, payment systems, and checkout systems out of order. The attack was not only limited to physical stores, but also affected online ordering systems, causing further delays.10

POS systems and employee devices

A customer glancing at shopkeeper's computer

POS systems are a critical touchpoint for processing customer transactions. A compromised POS system can lead to card skimming, theft of payment data, and unauthorized access to the retail network.  Employee devices such as laptops and smartphones are also used to access sensitive corporate data and systems, and therefore need protection.

In 2013, Target, a US-based retail corporation, faced a devastating cyber breach that ended up exposing the data of 70 million customers. Forty million credit and debit card numbers were also exposed. The company’s network had vulnerabilities that were exploited through phishing email attacks. Hackers gained access to POS machines that collected customer card details, and exfiltrated data.

Target delayed notifying customers by four days after identifying the breach, prioritizing securing systems first. This delay, along with the breach itself, led to significant financial and reputational damage, costing the company an estimated USD 1 billion, including multiple lawsuits and loss of consumer confidence. The breach underscored the risks of poor vendor security and inadequate network segmentation, influencing the corporate world to prioritize cybersecurity.11

The incident also accelerated the U.S.A.’s transition to chip and PIN credit cards, highlighting the necessity for robust cybersecurity measures and crisis management plans. Target’s leadership faced consequences, with both the CEO and CIO resigning, and the breach became a cautionary tale in cybersecurity and corporate governance.

This incident could have been avoided with the right security solutions that protected endpoints, network segmentation to restrict attackers’ movement in the networks, and data encryption that would have made it difficult for hackers to use. Testing systems for patches and vulnerabilities would have fixed the security gaps that led to this fiasco.

Endpoint security solutions can protect POS systems and devices from malware, data theft, and unauthorized access. They also help prevent malware attacks and ensure secure processing of payment information on POS systems. Similarly, SASE solutions continuously verify user access requests to corporate data and only grants access after verification. This verification is continuous and not one-time, thus eliminating all unauthorized access.

SASE security also secures email communication systems to protect against phishing attacks, business email compromise (BEC), and data leaks.

Benefits for the retail industry

1. Enhanced customer trust: Protecting customer data builds trust, leading to increased customer loyalty and repeat business.

2. Regulatory compliance: Ensuring compliance with PCI-DSS and data protection regulations helps avoid penalties and legal issues. For instance, penalties for lack of compliance with PCI-DSS norms can be USD 5,000-10,000 depending on card volume and could go up as high as USD 100,000. On top of these fines, customers can also sue the companies individually, which becomes a different cost altogether.12 There are other regional compliance regulations such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and more. The average global cost of non-compliance (all industries) is USD 14.82 million.13 The industry is slowly realizing that it is wiser to invest in security and compliance solutions that protect data and save hefty non-compliance losses.

3. Uninterrupted business operations: Securing websites, mobile apps, and networks prevents cyber attacks that could disrupt services and cause downtime. Downtimes are expensive, and for larger retail enterprises, every hour of downtime can cost as much as USD 1.1 million.14

4. Increased revenue protection: Preventing breaches in e-commerce platforms and POS systems safeguards revenue from fraud and data theft.

5. Improved operational efficiency: Microsegmentation and SASE solutions minimize the impact of attacks, reducing recovery time, and associated costs.

6. Reduced financial fraud: Endpoint security on POS systems ensures secure transactions, lowering the risk of financial fraud.

7. Protection from data breaches: Strong encryption and access control prevent unauthorized access to sensitive customer and company data.

8. Reduced phishing and email threats: Securing email systems reduces phishing risks, preventing data leaks and reputational damage.

9. Stronger security across employee devices: Continuous user verification and endpoint protection reduce risks from compromised employee devices accessing corporate systems.

10. Early detection of threats: Intrusion detection and penetration testing help identify potential vulnerabilities early, mitigating risks before they impact the business.

T-Systems: An end-to-end security partner

With the right security solutions in place, retailers can avoid unnecessary disruptions caused by security incidents. Moreover, these retailers can keep non-compliance costs, legal hurdles, and reputational damages at bay.

T-Systems offers security solutions such as SASE, Microsegmentation, Endpoint Detection and Response (EDR), Automated Penetration Testing, and more to improve not just security posture, but also overall resilience. With our comprehensive managed security solutions, we can help retail brands detect threats in advance, respond to them in real time, and help recover quickly after incidents. To know more about our security solutions and how they can protect your brand, get in touch with us today.

About the author
Dheeraj Rawal

Dheeraj Rawal

Content Marketer, T-Systems International GmbH

Show profile and articles

You might also be interested in

We look forward to your opinion

Do you have any ideas, suggestions, or questions on this topic? We cordially invite you to exchange ideas with us. Get in touch with us!

1 IT Spending in Retail Forecast, 2024, Gartner
2 Global Retail Sales, 2024, Statista
3 Gen AI Article, 2024, Walmart
4 Retail Cyber Security Statistics, 2023, Fortinet
5 State of Ransomware in Retail, 2024, Sophos
6 Average Cost of Retail Data Breach, 2024, CSA 
7 Shein Data Breach Article, 2022, Cyber Security Hub
8 Reputation and Market Value Press Release, 2020, PR Newswire
9 PCI Compliance Article, 2024, Digital Guardian
10 Metro Cyber Attack News, 2022, Security Week
11 Target Data Breach Article, 2021, Entech
12 PCI DSS Non-Compliance Costs, 2024, Comforte
13 True Cost of Non-compliance, 2024, Colligo
14 Average Cost of Downtime Article, 2023, Solarwinds Pingdom

Do you visit t-systems.com outside of India? Visit the local website for more information and offers for your country.