From credit card details to premium cheese, hackers are after you!

Selling stolen personal data is a big business for hackers: Somewhere on the dark web, your e-mail address and a few passwords are probably for sale (hopefully, old ones). Cyber criminals buy troves of this information to try to login to websites where they can grab something valuable like cash, airline points, or merchandise like expensive cheese. Yes, cheese.

Online retailers are hit the most by these attacks, according to a report by cyber security firm Shape Security. Hackers use programs to apply stolen data in a flood of login attempts, called “credential stuffing.” These days, more than 90% of e-commerce sites’ global login traffic comes from these attacks. The airline and consumer banking industries are also under siege, with about 60% of login attempts coming from criminals.

These attacks are successful as often as 3% of the time, and the costs quickly add up for businesses, Shape says. This type of fraud costs the e-commerce sector about £3 billion a year, while the consumer banking industry loses out on about £1.2 billion annually. The hotel and airline businesses are also major targets—the theft of loyalty points is a thing—costing a combined £450 million every year in the US and UK.

Completely unaware

By the time you hear about a hacker intrusion, it’s usually too late; on average, it takes 15 months from the day credential data is stolen to the day an intrusion is revealed. That’s more than enough time for criminals to deploy the data of unsuspecting people in thousands of credential stuffing attacks.

The process starts when hackers break into databases and steal login information. Some of the best known “data spills” took place at Equifax and Yahoo, but they happen fairly regularly—there were 51 reported breaches last year, compromising 2.3 billion credentials, according to Shape. Hackers frequently target web forums: The Lady Gaga “Little Monster” fan site had a breach last year that reportedly impacted about 1 million accounts containing birthday, password, and e-mail information.

Premium cheddar

Criminals steal personal data from places with weak protection and then use login data on sites and apps that are much higher value and better protected. Taking over bank accounts is one way to monetise stolen login information—in the US, community banks are attacked far more than any other industry group. According to Shape’s data, that sector is attacked more than 200 million times each day.

Another way to turn stolen data into cash is to buy merchandise, from gift cards to physical goods like electronics, that can easily be resold. It turns out that expensive cheese, like £200-per-pound Wyke Farms cheddar, is sometimes used in criminal schemes. Hackers use stolen credentials to break into online accounts to buy high-priced cheese and then resell it to restaurants for cash, Shape says.

Effect on Retailers 

Recent research carried out by Retail Week found that 72% of retail executives have witnessed “an exponential rise in the increase in hacking attempts in the past two to three years, with 64% of those witnessing this increase experiencing a breach in their own firm.” This is worrying in itself. But when you compare those statistics with the views of consumers quizzed as part of the same research, 72% of who would be unlikely to do business again with a retailer who suffered a data breach involving personal data, it’s clear that cyber-security has a material impact on the brand, and ultimately the bottom line.

The Threat Landscape

Cyber criminals are becoming more sophisticated, sharing successful techniques and tools with others hackers on the dark web. Whilst cyber security is improving, the threat landscape is constantly evolving.

As many retailers look to implement a single digital customer journey encompassing online, in store and beyond, which is dependent on customer data, now is the time to break rank and design a security strategy from the inside out. 

The benefits? There are many, but these are the ones I see as delivering the most strategic value.

• Innovation: Being able to scale technology-based innovation, which let’s face it is happening at a previously unseen pace, with confidence rather than scrabbling to find a way around PCI DSS and GDPR requirements.
• Reputation: Knowing that the millions spent building your brand are much less likely to be outstripped by millions spent defending and rebuilding your reputation after a data breach, particularly one you could have easily avoided.
• Business Optimisation: Why retrospectively work out how to plug the gaps and comply with information security regulations when you make a change to your IT? Build in flexible, scalable security and you’ll save time and money on your projects.