Attacks against e-commerce applications are by far the leading cause of breaches in this industry. As organizations continue to move their primary operations to the web, the criminals migrate along with them. Consequently, Point of Sale (PoS)-related breaches, which were for many years the dominant concern for this vertical, continue the low levels of 2019’s DBIR. While Payment data is a commonly lost data type, Personal and Credentials also continue to be highly sought after in this sector.
287 incidents, 146 with confirmed data disclosure
Web Applications, Everything Else and Miscellaneous Errors represent 72% of breaches.
External (75%), Internal (25%), Partner (1%), Multiple (1%) (breaches)
Financial (99%), Espionage (1%) (breaches)
Personal (49%), Payment (47%), Credentials (27%), Other (25%) (breaches)
Boundary Defense (CSC 12), Secure Configurations (CSC 5, CSC 11), Continuous Vulnerability Management (CSC3)
I’ll buy that for $1
We are sure it comes as no surprise to anyone in this sector, but the Retail industry is a frequent target for financially motivated actors. Retail as an industry is almost exclusively financially motivated too, so it is only fair. This sector is targeted by criminal groups who are trying to gain access to the wealth of payment card data held by these organizations. Last year’s trend of transitioning from ‘card-present’ to ‘card-not-present’ crime continued, which drove a similar decrease since 2016 in the use of RAM-scraper malware. Personal data figures prominently in Retail breaches and is more or less tied with Payment for the top data type compromised. Certainly, if the attacker cannot gain access to Payment data, but stumbles across Personal data that is lucrative for other types of financial fraud, they will not file a complaint.
To the web with you
Figure 98 provides us with a good view through the display case as it were in the Retail section. Over the last few years (2014 to 2019), attacks have made the swing away from Point of Sale devices and controllers, and toward Web Applications. This largely follows the trend in the industry of moving transactions primarily to a more web-focused infrastructure. Thus, as the infrastructure changes, the adversaries change along with it to take the easiest path to data.44 Attacks against the latter have been gaining ground. In the 2019 DBIR, we stated that we anticipated Retail breaches were about to lose their majority to web-server-related breaches, and in Figure 99 we can see that has in fact occurred. Be sure to play the lucky lotto numbers printed on the back cover. Winner, winner! Chicken dinner!