Cyber attacks on major retailers like MediaMarkt, Casa International and Metro made headlines last year, and that is no coincidence: in 2022, retail was the fifth most targeted industry by cybercriminals.
Attractive to hackers
Late 2021, electronics chain MediaMarkt was the victim of an international cyber hostage crisis, which among other things forced the disconnection of cash register systems in shops. Hackers demanded a ransom of more than forty million euros. Last summer, Casa International’s IT systems were encrypted and certain personal data were leaked. A large-scale cyber-attack on Metro last autumn caused IT problems that dragged on for weeks, causing the cash register systems and electronic price labels to fail. This also severely hampered the clearance sale at bankrupt Belgian subsidiary Makro.
These are just three examples that illustrate the extent to which retailers are also targeted by hacker gangs. However, the problem is much bigger: many incidents do not make it into the media. According to IBM figures, retail was the fifth most targeted industry by cybercriminals in 2022, accounting for 8.7 % of all attacks in the top ten industries. This is a significant increase from the 7.3 % in 2021, IBM’s latest X-Force Threat Intelligence Index reports. With an annual 2.72 trillion euros in online retail transactions – up 20 % from the previous year – retail is now an attractive sector for cybercriminals, given the large amounts of sensitive data.
Opening back doors
The most common type of attacks on retailers was sending spear-phishing emails with a malicious link (33 %). The main consequences of these attacks were extortion (50 %), stealing data (25 %) and financial loss (25 %). Hackers not only fish customer data to extort retailers, but also more frequently target disrupting services, leaving retailers unable to trade, X-Force’s European head Eben Louw explains.
In 2021, IBM saw more frequent use of ransomware. Last year, that changed: “After the outbreak of war in Ukraine, we saw an increase in attacks from the end of April. The aim of those attacks was mainly to open back doors, and then very slowly and covertly penetrate systems to steal data.”
In retail, the application servers and online operations are often vulnerable. Once cybercriminals manage to penetrate the systems, they have free rein, given the trust relationships between the application server and the back-end databases. “Often they do not even need to crack accounts. For example, there are no firewalls between applications. Also, accounts are often given too many administrative rights. Developers often take shortcuts because they are under time pressure.”
When retailers get back up and running quickly after a reported cyberattack, you may wonder what happened behind the scenes: did they pay a ransom? The problem is that you can never trust cybercriminals: “They do say: pay us and we will destroy all the data we stole from you. We never get involved in those negotiations, but we understand from our research that you never get real guarantees.”
And it is not just about the stolen data, it is also about the credentials: hackers can get in through a leak in the system, but also through stolen usernames and passwords. In the time pressure to get systems operational again very quickly, that back door is often left open and hackers can strike again if they want to. “You can never again put your trust in a system in which hackers have been at work. You have to reinstall it and restore your backups. Companies often refuse to do that because they do not have the hardware, the storage capacity, the people or the time. Sometimes they do not even have the passwords to old network systems anymore, because they were configured by suppliers they no longer work with.”
Vulnerable POS systems
Is it even possible to secure your systems perfectly? “You can never be 100 % secure. We recommend securing your systems to the extent that it becomes so difficult for criminals that they would rather try somewhere else. They are opportunists with a revenue model: they might attempt to penetrate your system for one or two days, but if that fails, they will shift their attempt to the next company.”
Map your external attack surface, Louw advises: what can cybercriminals see from the outside and how can they attack you? “You need to understand that and improve it. Then you start looking internally at the vulnerabilities in your systems. Cash registers, for example, often still run on old legacy operational systems. If hackers can take those down, the retailer comes to a standstill. You also need to frequently audit all your local user accounts and domain accounts.” Paradoxically, the antivirus system is often the ideal backdoor, as it provides smooth access to all systems without any threshold. The same applies to backup servers.
User awareness is also critical, Louw points out. “That has increased, as we see that phishing emails have become less prominent.” However, management must also realise how big the commercial and financial impact of an incident can be. This does not always turn out to be the case. “A Portuguese retailer hit by a cyber-attack set aside a budget to improve security. But a few weeks after the incident, when the team wanted to start implementing the agreed measures, the budget appeared to have disappeared…”