Study: Critical security issues plague holiday retailers

Retailers are doing a good job online when it comes to sales, but they are failing when it comes protecting sensitive shopper data.



All of the nation’s largest retailers had multiple issues with domain security, which increases the risk of hackers impersonating a retailer's site and falsifying a checkout form to obtain a user's credit card information, according to a report by security rating firm SecurityScoreboard that exposes cybersecurity vulnerabilities across 48 of the biggest U.S holiday retailers.



The study, “2016 Biggest Holiday Retailers Cybersecurity Report,” finds that more than 50% of the largest retailers may have failed to meet the Payment Card Industry's Data Security Standards (PCI DSS). Issues discovered include malware infections, use of end-of-life products, weak network security and low security awareness among employees — all areas that give hackers more opportunities to infiltrate retailer networks.



Meanwhile, 90% have missing sender policy framework (SPF) records — details that identify which mail servers are permitted to send email on behalf of a brand’s domain. Missing records increase the risk of an email spoofing attack reaching consumers, the report said.



Nearly 80% of retailers may not be using intrusion detection or prevention systems to monitor all traffic within the cardholder data environment, and as of October 2016, 83% of retailers had unpatched vulnerabilities.



When looking at the bottom-performing retailers in this group, these brands earned a “D” grade, or lower in their network security efforts, suggesting that their network may have an unaccounted access point ready to be exploited. One reason could be that 62% of retailers were using end-of-life products in the last month, making them more susceptible to attacks or exploits. This could be why 43% of companies were infected with malware between April and June 2016, data showed.



“This time of year is always tough for security professionals. With more consumers, more transactional data, and more credit cards to steal, the holiday shopping season is an ideal time for a hacker to attack," said Sam Kassoumeh, co-founder and COO of SecurityScorecard.



"Our analysis indicates that even the most secure retailers could be susceptible to a breach. Additionally, previously installed and dormant malware could be activated during this time of year to capitalize on a larger score,” he added. “If a hacker decides to take action while organizations scramble to keep up with an uptick in sales activity, attacks are more likely to be successful.”