Retail businesses are ever-popular targets for cybercriminals.

From ransom-style attacks that use operational disruption as leverage to card skimming, retail and e-commerce businesses are straightforward propositions for financially motivated cybercriminals.

The 2023 Data Breach Investigations Report identified system intrusion, web application attacks, and social engineering as the most significant threats to retail businesses.

This article discusses why cyberattacks in the retail industry continue to grow in volume and takes a close look at four serious retail breaches from the last year.

Why is this a Concern?

The retail industry is evolving, transforming transactions into shopping experiences. To do this, retail businesses have adopted a wide range of technologies, from e-commerce platforms and in-store IT systems to connected devices such as beacons, sensors, and trackers.

This increased use of technology makes retail businesses an enticing target for cybercriminals, who can profit by stealing customer data, scraping payment card information from PoS devices, and disrupting operations as leverage for hefty ransom demands.

The Sophos State of Ransomware in Retail report found that 69% of retail businesses were hit by ransomware in 2023. Almost three-quarters of these ransomware attacks resulted in data being encrypted, up from 68% and 54% in the two previous years.

The average cost of a retail data breach in 2023 was $2.96 million, and the industry accounted for 6% of all data breaches worldwide, up from 5% the previous year. This makes retail the 8th most targeted industry, up from 10th in 2022.

While these figures may not sound like much, they represent a dramatic rise in attacks against retail businesses.

4 Recent Retail Cyberattacks

1. Ace Hardware Operations Disrupted, Franchise Owners Phished

In late October 2023, hardware giant Ace Hardware was hit by a cyberattack that impacted warehouse management systems, retailer mobile assistants, invoicing systems, customer service phone systems, and the company’s rewards system. The result was widespread disruption across the chain’s 5,600 stores around the world. Shipments were disrupted, deliveries were delayed, and the company was unable to take online orders.

Ace Hardware later revealed attackers had compromised over a thousand assets—1,202 devices, including 196 servers, were hit during the attack and had to be repaired or recovered.

During the incident, Ace Hardware sent a notice to franchise owners, telling them what had happened and stating: “…many of our key operating systems, including ACENET, our Warehouse Management Systems, the Ace Retailer Mobile Assistant (ARMA), Hot Sheets, Invoices, Ace Rewards, and the Care Center’s phone system have been interrupted or suspended.”

Franchise owners were also informed their scheduled deliveries would not be arriving and that they should avoid placing additional orders until the problem was resolved.To make matters worse, data stolen in the attack was used to target Ace Hardware franchise owners with social engineering attacks via phone and email. These attacks aimed to take advantage of the confusion by tricking franchise owners into:

• Sending payments meant for Ace Hardware to the attacker’s account.
• Providing credentials that would allow attackers to access a store’s IT systems.

This cyberattack and ensuing social engineering attempts highlight the extreme disruption retail businesses can suffer when targeted by cybercriminals. While Ace Hardware has not publicized a total cost, it’s likely that the incident had a significant financial impact on the company and its franchise owners.

2. JD Sports Hack Leaks 10 Million Customers’ Data

In early 2023, fashion retailer JD Sports was hit with a major cyberattack. The breach occurred after a server containing online order information for customers was hacked. In its official announcement, the company stated the cybercriminals responsible had stolen information that included:

“…the name, billing address, delivery address, email address, phone number, order details and the final four digits of payment cards of approximately 10 million unique customers.”

The breach extended beyond JD Sports to affect many of the company’s group brands, including JD, Size?, Millets, Blacks, Scotts, and MilletSport.

The attackers could use this data to launch social engineering attacks against exposed individuals in a manner similar to what Ace Hardware franchise owners experienced. Alternatively, the data may simply be sold via a dark web marketplace for use in other cybercrime and fraud attempts.

The company said it was working with “leading cyber-security experts” and engaging with the UK’s Information Commissioner’s Office (ICO) in response to the incident. The company’s CFO said affected customers were being advised: “to be vigilant about potential scam emails, calls, and texts.”

3. Attack on Apparel Mega-Retailer VF Corp Leaks Info on 35 Million Customers

VF Corporation, the corporate owner of apparel brands such as Timberland, Dickies, North Face, Vans, and many more, suffered a serious cyberattack in December 2023.

In its regulatory filing with the US Securities and Exchange Commission (SEC), the company said it “detected unauthorized occurrences on a portion of its information technology (IT) systems” on December 13. The filing also stated VF Corp was experiencing operational disruptions, and its ability to fulfill orders was impacted.

The company’s filing and other announcements didn’t directly describe the attack as a ransomware incident, instead indicating that hackers had disrupted operations after “encrypting some IT systems.” The identity of the cybercriminal group behind the attack remains undisclosed, although the ALPHV/BlackCat ransomware group claimed responsibility.

VF Corp didn’t disclose precisely what information had been stolen. However, it did admit that personally identifiable information (PII) relating to around 35 million individuals was compromised.  While the company claimed to have removed the threat within a few days, it also admitted to still suffering “minor impacts” over a month later. 

4. Staples Cyber Week Sales Push Disrupted by Cyberattack

On Cyber Monday 2023, a cyberattack began against Staples, disrupting the company’s ability to process and deliver online orders during the critical promotional period. The attack also affected communications and customer service, with all customer service employees reportedly being sent home for several days.

Reports on Reddit highlighted internal operational disruptions, including issues with Zendesk, VPN employee portals, email access, and more. Staples employees were advised against using Microsoft 365’s single sign-on until the incident was fully resolved. The company was able to restore most systems by Wednesday and restore other systems by Thursday.

A statement sent to ABC News claimed the disruption was caused by the “proactive steps” the retailer took to “mitigate the impact and protect customer data.” Several news businesses have speculated the company’s dramatic response suggests attackers may have attempted to deploy ransomware—shutting down and disconnecting systems is a common approach businesses use to minimize the impact of encryption-based cyberattacks.

There’s no suggestion any customer data was compromised—but that’s unlikely to be a significant consolation to the company’s leadership, given the likely financial impact of disruption during the Cyber Monday period. The cost of downtime during a normal week is very significant—an ITIC survey found the cost of a single hour of downtime can be up to $5 million for a large retailer. It’s likely this incident, which took days to resolve, cost Staples significantly more than this.

Protect Your Retail Business from IoT Threats

Securing a retail chain—especially one that encompasses both high street and online sales—can be a complex task. So, while the attacks described here are concerning, they’re hardly surprising. Many cyberattacks against retail businesses go unreported—and of those that do make headlines, it’s rare that the full extent of the damage is publicized.

So, what can you do?

One of the major sources of risk in a retail business is the abundance of connected technologies, both in-store and behind the scenes.

Securing network access and managing vulnerabilities across a diverse IT environment is tough. But that’s where we come in. Asimily’s platform streamlines IoT security, making it easy to lock down traffic, monitor traffic sources, and identify unusual connections. 

Retail businesses can use Asimily’s Risk Simulation to assess mitigation options for individual vulnerabilities and devices before implementing fixes and identify the most secure known deployment of each device. This can help you prioritize your efforts, identify high-risk devices, and avoid wasted effort.

Asimily understands your unique environment and provides real-time, actionable remediation steps to reduce risk and save time—making our customers 10X more efficient at resolving IoT security risk.

To find out how Asimily can help manage the security risk of connected devices for your retail business, download our white paper: IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper

To get started immediately, contact us today.