Cybersecurity can be a cat-and-mouse game. Fix one weakness, and the criminals find another target.
It’s a lesson industries from retail to restaurants to airlines are learning as consumers’ data increasingly draws the attention of online thieves. Just this week, Sears, Kmart, Panera Bread and Delta Air Lines notified customers that their payment information and other personal data may have been compromised in security breaches.
The theft of payment information collected at checkout stands, once a more common threat, is declining. The use of chip-enabled credit cards as well as lessons learned from major consumer data breaches — like one at Target in 2013 that affected more than 41 million people — have encouraged retailers to step up their data defenses.
“That went a long way toward securing those point-of-sale systems and making them less of a juicy target for criminals,” said Karl Sigler, threat intelligence manager at SpiderLabs, the research team at Chicago-based cybersecurity firm Trustwave. But in response, criminals are targeting payment information consumers provide when they shop online.
Data breaches affecting checkout systems in stores comprised 20 percent of the incidents Trustwave investigated in 2017, down from 31 percent the year before, according to the firm’s Global Security Report, released Thursday. E-commerce incidents, on the other hand, were 30 percent of cases, up from 26 percent in 2016.
What’s so insecure about online shopping? Sigler said e-commerce sites are getting more complex — with connections to vendors and outside credit card processors — and each added complexity is an added vulnerability.
Trustwave found security holes in every web application it tested in 2017, according to the report. And insecurities aren’t an easy problem to solve, Sigler said. Web development teams are sometimes dispersed across the globe.
“You have teams that have to work together like clockwork in order to really produce good security and have that as a priority,” he said.
Conversations about data security have gone from the data center to the boardroom in recent years, said Mohammed Elkhatib, founder and CEO of cybersecurity company Anomalix, which is based at Chicago tech hub 1871. Unfortunately, there are still issues — sometimes obvious ones — that slip through.
Companies need to establish a security framework and hold third parties that handle customers’ data accountable, Elkhatib said. No matter who’s in charge of the data, they need to play by the same rules, he said.
The public is pushing companies to better protect their online data, be it from cybercriminals or advertisers. But there are measures consumers can take to protect themselves too.
When customers buy something online, many sites ask them to store their payment info to make their next purchase quicker, Sigler said. That is frequently stored in online retail sites’ back-end databases, which hackers often target. Consumers should think twice before storing that information.
Consumers also should make sure their web browsers are updated because many updates involve patches for security flaws, Sigler said.
When buying online, use a credit card instead of a debit card, Elkhatib said. Credit card companies are more likely to refund money from fraudulent purchases. Additionally, consumers should make sure the website they’re buying from is legitimate.
“They have to be judicious about where they’re putting their data,” Elkhatib said. “I hate to say it, but they have to be paranoid.”
For Delta, Sears and Kmart, the breach involved the same third-party online customer service provider. Hoffman Estates-based Sears Holdings Corp., the parent of Sears and Kmart, said in a statement that fewer than 100,000 customers had their credit card information accessed. The breach occurred in September through October, and the support company informed the retailers in March.
Delta said that several hundred thousand customers were potentially exposed, but couldn’t say definitely whether any of their information was actually compromised.
The Panera breach affected customers who had registered for the cafe’s online food ordering program, news site KrebsOnSecurity reported. Panera estimated fewer than 10,000 people were affected.
Retail was the industry hit hardest by cyberattacks in 2017, accounting for about 17 percent of the incidents Trustwave investigated.
