Retail Sector Data Breaches

A few days ago, we published a blog post outlining statistics, threats, challenges, and best practices in cybersecurity for this industry. On this occasion, we would like to share some of the most outstanding cases of cyber attacks and data breaches experienced by well-known multinational retailers. These cases can serve as a warning to other companies inside and outside this industry and as a learning resource to avoid making similar mistakes in cybersecurity.

Under Armour, Inc. is an American performance apparel and footwear company that manufactures and sells sports clothing, footwear, and accessories designed to enhance athletic performance. In March 2018, this retailer publicly reported a data breach after its MyFitnessPal application was hacked, affecting approximately 150 million user accounts. Allegedly, since February of the same year, the attackers obtained email addresses, usernames, and hashed passwords but not social security or payment card information. Nonetheless, the company asked its users to change their passwords through various communication channels. Among the sources reviewed for this post, there is no report of any disclosure of the type of attack or the financial cost of this data breach to Under Armour.

Forever 21 is a multinational fast-fashion retailer known for its trendy clothing and accessories at affordable prices, primarily for young women and teens. In November 2017, the company was investigating a potential data breach that compromised customers' personal and payment card information. The investigation focused on transactions between March and October of that year. Shortly thereafter, Forever 21 confirmed the data breach.

It was in 2023 that the media spoke of over half a million affected people. But no, not in the aforementioned attack, but in a new one, which reportedly started in January of that year. However, it seems that among those affected, in this case, there were only current and former employees of the retailer whose personal information was compromised. Although the type of attack was not disclosed, the media inferred that it may have been a ransomware attack. Forever 21's financial costs have also not been revealed so far.

eBay Inc. is a U.S. e-commerce firm where people and businesses sell and buy a wide variety of goods and services worldwide. In May 2014, eBay asked its users to change their passwords because of an attack that compromised its personal information database. This included names, dates of birth, email addresses, phone numbers, and "encrypted" passwords. What was seemingly not stolen was financial data, which was stored separately. As in the Under Armour case described above, it is striking that eBay asked its customers to change their passwords as if they did not have sufficient confidence in its encryption methods.

The attackers had gained access to the company's network by compromising the login credentials of some employees a few months ago. It is assumed that the total number of affected users could be 145 million. But did malicious hackers manage to get all the data from just a few employee accounts? That's odd. Supposedly, no financial fraud was reported in the end, but all that stolen information we know can be useful for cybercriminals, for example, in their social engineering campaigns. The costs for eBay were apparently not disclosed.

Neiman Marcus is an American department store chain offering high-end designer brands in fashion, accessories, and home goods. In 2014, this retailer reported being the victim of a data breach in which information from 1.1 million customer payment cards was compromised. Malware had been installed on their systems and had acted from mid-July to the end of October 2013. By then, they said there was no connection to the Target case (reported as number one on the list in this post), but many single-payer cards had already been used fraudulently.

In early 2019, the company reached an agreement with different states in the nation to provide $1.5 million in response to this security incident. By then, it was stated that, in reality, the number of compromised cards was around 370 thousand, of which more than 9 thousand had been fraudulently used.

Despite Neiman Marcus' response, which was supposed to also involve improvements in cybersecurity, in 2021, it conveyed a new data breach. It had reportedly occurred more than a year ago, back in May 2020, but was discovered in September of the following year. Some 4.6 million customer accounts, including their payment card numbers and personal information, were seemingly compromised. The retailer said, "Approximately 3.1 million payment and virtual gift cards were affected for these customers."

The TJX Companies, Inc. is an American multinational off-price retailer that operates a chain of department stores offering discounted brand-name apparel and home fashions. This company disclosed in early 2007 that customer records had been compromised for nearly two years. Since July 2005, cybercriminals had accessed TJX's network and installed malware to steal the personal and financial information of at least 45.7 million customers. (Apparently, this reported number was much lower than the actual number; it was later reported to be more than 95 million). Credit and debit card transactions were affected in several of TJX's stores in countries such as the U.S., Canada, Puerto Rico, and the U.K.

Such access seems to have been gained by the attackers through some of the PoS systems of TJ Maxx, one of TJX's subsidiaries. It is said that their security was quite deficient. They had flaws in basic encryption and access control security. Moreover, TJX's wireless network was apparently protected by Wired Equivalent Privacy (WEP), one of the weakest forms of security for such networks. The hackers obtained employee login credentials, created their own accounts, and, throughout the reported time, collected data related to customer transactions. From there, they could sell this information on the black market or use it for asset theft. By the following year, some hackers had already been implicated and charged with this and similar crimes.

TJX's initial costs for dealing with the data breach, user reporting, and security enhancements amounted to $5 million, which is nothing compared to what came next. Months later, another $12 million in charges were added, and some media estimated that the sum would reach billions of dollars. As time went by, the company was hit with lawsuits filed by users and investigations and fines by government agencies for non-compliance with customer protection laws.

The Home Depot, Inc. is a major U.S. retailer that offers a wide range of home improvement products and services. In September 2014, this company confirmed that its payment systems had been subject to a malware attack similar to the one received by Target Corporation (see case below), which had begun in April. Allegedly, the attackers used the credentials of a third-party vendor to access Home Depot's network and installed malware to compromise PoS systems and steal data of customers using payment cards in the U.S. and Canada. According to the company, that malware had not been used in previous attacks and was designed to evade antivirus software detection.

In this case, more than 40 million customers were affected. Initially, 56 million credit and debit card numbers were reported to be compromised, but in November of the same year, it was declared that 53 million email addresses were also affected. Such payment card information could have been used by criminals to make fraudulent online purchases or create cloned cards.

Once the investigation was completed, Home Depot had to add encryption enhancements to its PoS terminals. It appears that they also began to accelerate the implementation of chip-and-pin technology. Additionally, they had to hire a chief information security officer (CISO), train their staff in security awareness, and implement two-factor authentication (2FA), firewalls, and penetration testing, among other security measures. Years later, the company ended up paying $17.5 million in settlements with different states, which was only a fraction of the total costs, to which were added litigation by clients and various institutions.

Target is among the largest American retail corporations. It offers a wide assortment of products, including apparel, home goods, and groceries, focusing on value and design. Target suffered a cyberattack in late November 2013, apparently in the middle of Black Friday. Around two weeks later, its staff discovered the breach and reported it to the U.S. Justice Department. The attack was mitigated after two days.

Apparently, it was enough to compromise only one third-party vendor out of the many that could have been attacked for the impact to be successful. Specifically, it was Fazio Mechanical, a refrigeration contractor whose cybersecurity weaknesses allowed the attackers to break into Target's corporate network. The attack vector was a phishing email, which allowed Citadel (a variant of the Zeus banking trojan) to be installed on Fazio's machines, a company that did not suitably use anti-malware software. Once inside Target's network, which was seemingly poorly segmented, the hackers could find and exploit vulnerabilities to move laterally and then gain privileges and take control of the servers. Finally, they infiltrated and infected Target's PoS systems with malware to extract credit and debit card information and sell it on the black market.

Attackers stole data from roughly 40 million credit and debit cards, along with personal information from up to 70 million customers. Target's costs exceeded $200 million, including legal fees, settlements, and investments in security improvements. The actual cost may have been much higher, considering lost sales, customer churn, and damage to their stock price. This was one of the most significant retail data breaches in history at the time. It's even said to have been the first case in which "the CEO of a major corporation got fired because of a data breach." The breach significantly eroded public trust in Target's security practices. It led to lawsuits, regulatory fines, and negative media coverage, impacting their brand image and customer loyalty for years to come.

Target's data breach and the other cyberattacks described here can serve as a wake-up call for all or at least many retail industry members. These cases highlighted, among several things, vulnerabilities in their point-of-sale (PoS) systems and networks, the presence of low-skilled-in-cybersecurity workers, and the need for more stringent and up-to-date security measures. Whether you are a retailer or not, today, cybersecurity is not only a necessity but also the law of the land. Integrating automated and manual security testing, Fluid Attacks is here to help you avoid being the next victim to make headlines. Contact us.