Retail Sector Data Breaches

Over the years,
many well-known brands in the retail industry
have made the headlines worldwide.
While this can be the product of achievements,
it also happens when retailers are victims of cyberattacks
that significantly affect their customers’ data and,
consequently, the company’s finances and reputation.

A few days ago,
we published a blog post
outlining statistics,
threats, challenges, and best practices in cybersecurity for this industry.
On this occasion,
we would like to share some of the most outstanding cases of cyber attacks
and data breaches experienced by well-known multinational retailers.
These cases can serve as a warning to other companies
inside and outside this industry
and as a learning resource to avoid making similar mistakes in cybersecurity.

7. Under Armour (2018)

Under Armour, Inc. is an American performance
apparel and footwear company
that manufactures and sells sports clothing, footwear, and accessories
designed to enhance athletic performance.
In March 2018,
this retailer publicly reported a data breach
after its MyFitnessPal application was hacked,
affecting approximately 150 million user accounts.
Allegedly,
since February of the same year,
the attackers obtained email addresses, usernames, and hashed passwords
but not social security or payment card information.
Nonetheless,
the company asked its users
to change their passwords
through various communication channels.
Among the sources reviewed for this post,
there is no report of any disclosure of the type of attack
or the financial cost of this data breach to Under Armour.

6. Forever 21 (2017-2023)

Forever 21 is a multinational fast-fashion retailer
known for its trendy clothing and accessories at affordable prices,
primarily for young women and teens.
In November 2017,
the company was investigating
a potential data breach
that compromised customers’ personal and payment card information.
The investigation focused on transactions
between March and October of that year.
Shortly thereafter,
Forever 21 confirmed the data breach.

Apparently,
this retailer had point-of-sale (PoS) systems in some of its stores
that had not yet received or never received encryption
and authentication upgrades
that it was supposed to have started implementing in 2015.
From there,
the attackers accessed Forever 21’s network
and installed malware to steal information.
Although there is talk of compromised credit card data,
the number of customers affected was not reported.

It was in 2023
that the media spoke of over half a million affected people.
But no, not in the aforementioned attack, but in a new one,
which reportedly started in January of that year.
However,
it seems that
among those affected, in this case,
there were only current and former employees of the retailer
whose personal information was compromised.
Although the type of attack was not disclosed,
the media inferred that it may have been a ransomware attack.
Forever 21’s financial costs have also not been revealed so far.

5. eBay (2014)

eBay Inc. is a U.S. e-commerce firm
where people and businesses sell and buy a wide variety of goods
and services worldwide.
In May 2014,
eBay asked its users
to change their passwords
because of an attack that compromised its personal information database.
This included names, dates of birth, email addresses, phone numbers,
and “encrypted” passwords.
What was seemingly not stolen was financial data,
which was stored separately.
As in the Under Armour case described above,
it is striking that eBay asked its customers to change their passwords
as if they did not have sufficient confidence
in its encryption methods.

The attackers had gained access to the company’s network
by compromising the login credentials of some employees a few months ago.
It is assumed that
the total number of affected users could be 145 million.
But did malicious hackers manage to get all the data
from just a few employee accounts?
That’s odd.
Supposedly,
no financial fraud was reported in the end,
but all that stolen information we know can be useful for cybercriminals,
for example, in their social engineering campaigns.
The costs for eBay were apparently not disclosed.

4. Neiman Marcus (2013-2020)

Neiman Marcus is an American department store chain
offering high-end designer brands in fashion, accessories, and home goods.
In 2014,
this retailer reported being the victim of a data breach
in which information from 1.1 million customer payment cards
was compromised.
Malware had been installed on their systems
and had acted from mid-July to the end of October 2013.
By then,
they said there was no connection to the Target case
(reported as number one on the list in this post),
but many single-payer cards had already been used fraudulently.

In early 2019,
the company reached an agreement with different states in the nation
to provide $1.5 million in response to this security incident.
By then, it was stated that, in reality,
the number of compromised cards was around 370 thousand,
of which more than 9 thousand had been fraudulently used.

Despite Neiman Marcus’ response,
which was supposed to also involve improvements in cybersecurity,
in 2021, it conveyed a new data breach.
It had reportedly occurred more than a year ago,
back in May 2020,
but was discovered in September of the following year.
Some 4.6 million customer accounts,
including their payment card numbers and personal information,
were seemingly compromised.
The retailer said,
“Approximately 3.1 million payment and virtual gift cards were affected
for these customers.”

3. TJX Companies (2007)

The TJX Companies, Inc. is an American multinational off-price retailer
that operates a chain of department stores
offering discounted brand-name apparel and home fashions.
This company disclosed in early 2007 that
customer records had been compromised for nearly two years.
Since July 2005,
cybercriminals had accessed TJX’s network and installed malware
to steal the personal and financial information
of at least 45.7 million customers.
(Apparently,
this reported number was much lower than the actual number;
it was later reported to be more than 95 million).
Credit and debit card transactions were affected in several of TJX’s stores
in countries such as the U.S., Canada, Puerto Rico, and the U.K.

Such access seems to have been gained by the attackers
through some of the PoS systems of TJ Maxx,
one of TJX’s subsidiaries.
It is said that
their security was quite deficient.
They had flaws in basic encryption and access control security.
Moreover, TJX’s wireless network was apparently protected
by Wired Equivalent Privacy (WEP),
one of the weakest forms of security for such networks.
The hackers obtained employee login credentials, created their own accounts,
and, throughout the reported time,
collected data related to customer transactions.
From there,
they could sell this information on the black market or use it for asset theft.
By the following year,
some hackers had already
been implicated and charged with this and similar crimes.

TJX’s initial costs for dealing with the data breach,
user reporting, and security enhancements amounted to $5 million,
which is nothing compared to what came next.
Months later,
another $12 million in charges were added,
and some media estimated that
the sum would reach billions of dollars.
As time went by,
the company was hit with lawsuits filed by users
and investigations and fines by government agencies
for non-compliance with customer protection laws.

2. Home Depot (2014)

The Home Depot, Inc. is a major U.S. retailer
that offers a wide range of home improvement products and services.
In September 2014,
this company confirmed that its payment systems had been subject
to a malware attack similar to the one received by Target Corporation
(see case below),
which had begun in April.
Allegedly, the attackers used the credentials of a third-party vendor
to access Home Depot’s network and installed malware
to compromise PoS systems and steal data of customers
using payment cards in the U.S. and Canada.
According to the company,
that malware had not been used in previous attacks
and was designed to evade antivirus software detection.

In this case,
more than 40 million customers were affected.
Initially,
56 million credit and debit card numbers were reported to be compromised,
but in November of the same year,
it was declared that
53 million email addresses were also affected.
Such payment card information could have been used by criminals
to make fraudulent online purchases or create cloned cards.

Once the investigation was completed,
Home Depot had to add
encryption enhancements to its PoS terminals.
It appears that they also began to accelerate
the implementation of chip-and-pin technology.
Additionally,
they had to hire a chief information security officer (CISO),
train their staff in security awareness,
and implement two-factor authentication (2FA), firewalls,
and penetration testing,
among other security measures.
Years later,
the company ended up paying $17.5 million in settlements
with different states,
which was only a fraction of the total costs,
to which were added litigation by clients and various institutions.

1. Target (2013)

Target is among the largest
American retail corporations.
It offers a wide assortment of products,
including apparel, home goods, and groceries, focusing on value and design.
Target suffered a cyberattack
in late November 2013,
apparently in the middle of Black Friday.
Around two weeks later,
its staff discovered the breach and reported it to the U.S. Justice Department.
The attack was mitigated after two days.

Apparently,
it was enough to compromise only one third-party vendor
out of the many that could have been attacked
for the impact to be successful.
Specifically, it was Fazio Mechanical,
a refrigeration contractor
whose cybersecurity weaknesses allowed the attackers to break
into Target’s corporate network.
The attack vector was a phishing email,
which allowed Citadel (a variant of the Zeus banking trojan)
to be installed on Fazio’s machines,
a company that did not suitably use anti-malware software.
Once inside Target’s network,
which was seemingly poorly segmented,
the hackers could find and exploit vulnerabilities
to move laterally and then gain privileges and take control of the servers.
Finally,
they infiltrated and infected Target’s PoS systems with malware
to extract credit and debit card information and sell it on the black market.

Attackers stole data from roughly 40 million credit and debit cards,
along with personal information from up to 70 million customers.
Target’s costs exceeded $200 million,
including legal fees, settlements, and investments in security improvements.
The actual cost may have been much higher,
considering lost sales, customer churn, and damage to their stock price.
This was one of the most significant retail data breaches in history
at the time.
It’s even said
to have been the first case
in which “the CEO of a major corporation got fired because of a data breach.”
The breach significantly eroded public trust in Target’s security practices.
It led to lawsuits, regulatory fines, and negative media coverage,
impacting their brand image and customer loyalty for years to come.

Target’s data breach and the other cyberattacks described here
can serve as a wake-up call for all or at least many retail industry members.
These cases highlighted, among several things,
vulnerabilities in their point-of-sale (PoS) systems and networks,
the presence of low-skilled-in-cybersecurity workers,
and the need for more stringent and up-to-date security measures.
Whether you are a retailer or not,
today, cybersecurity is not only a necessity but also the law of the land.
Integrating automated and manual security testing,
Fluid Attacks is here to help you avoid being the next victim
to make headlines.
Contact us.