By Aimee Chanthadavong

During the early days when e-commerce was emerging there were a lot of ‘erms’ and ‘ahs’ from consumers about shopping online due to fears regarding personal details and security.

And it was not wrong of them to be alarmed.

Up until today – with Australia’s online shopping market expected to reach $37 billion by 2013 – retailers with e-commerce sites are increasingly becoming main targets of fraudulent crimes. The average cost of a data breach to Australian companies is about $2.16 million per incident.

A Trustwave SpiderLabs study on online breaches found in 2011, e-commerce targets increased 9 per cent to 20 per cent over the previous year. Also a majority (89 per cent) of that involved gaining access to customer records, including cardholder data, PLL and email addresses.

Marc Bown, managing consultant at Trustwave Spiderlabs APAC, explains there is always a motivation for why these forms of crimes are committed and most of the time it comes down to money.
“In our experience the main motivation for most attackers is financial gain. So what they’re looking for is data they can easily monetise, like bank details and credit card numbers. Retailers are a target because they are a sector that has access to that data,” he says.

“If you’re looking at retailers, they’re the ones accepting credit cards and they sometimes have issues with their systems. Once in there, the attackers can get access to those details and use them for fraudulent purposes. The black market is basically trading that information.

“So contrary to popular belief, it’s not that easy to make money out of stealing secrets from a big company.”

Largely the rise in e-commerce breaches was due to additional engagements in the Asia Pacific region where e-commerce compromises are more common than software point-of-sale system compromises. Prior to 2011, all investigations related to payment card data compromise in Asia-Pacific involved e-commerce breaches. While attackers are now migrating to point-of-sale systems, e-commerce attacks are still common.

“Our report in 2010 showed there had been no bricks and mortar compromises, instead they were all e-commerce compromises. The main reason for that is because Australia has a slightly different method of transacting to other parts of the world, which made us a little bit safer for a while,” Bown says.

“But we were a little unlucky last year as there was a bit of a perfect storm where the attackers learned how to attack.  What we’re seeing this year is point-of-sale compromises not back down to zero, but e-commerce once again has become the main target.

“E-commerce is simpler for them but the data in bricks and mortar outlets has more value to them because they can create an account with that data. With the data they get from online, they can only make other online purchases.”

The study also showed more than one-third of those breaches affected mainly the food and beverage sector (43.6 per cent) and the retail sector (33.7 per cent).

“I don’t think it’s necessarily true to say the retail industry is targeted purely because it has access to this data. But I think it goes hand in hand with that factor that perhaps traditionally the retail sector has not focused as much on security as it ought, and because of that perception we don’t have data of value, so perhaps they’re overlooking the fact that these credit card numbers are going through their systems,” Bown says.

Of those affected stores, many of them were franchised businesses who relied heavily on third party support for their IT operations. It was also because many of them tend to have a ubiquitous system that is used at each franchise location.

“So once an attacker learns how to attack one location, they essentially have a recipe that they can use across all the other locations. So once they make that upfront investment in how to break into one location they can get the best return on investment by breaking into as many locations as possible,” Bown says.

At the same time, the pitfalls of running an e-commerce site are not being able to monitor how staff protect and transport data; hosting advertisements that may have malware on them; or not realising the damage to their brand and reputation by hosting an infected site or accidentally leaking confidential information.

“Interestingly, based on Norton Safe Web data, we’ve determined that 61 per cent of malicious sites are actually regular websites that have been compromised and infected with malicious code,” David Freer, vice president consumer, Asia Pacific and Japan, Norton by Symantec, says.

“By category, the top five most infected websites are blogs and web communications, hosting/personal hosted sites, business/economy, shopping, and education and reference,”

But if retailers are such common targets why are they not doing anything about it? A recent report from the Ponemon Institute revealed almost 40 per cent of global data breaches are caused by negligence.

ARA executive director Russell Zimmerman said the growing number of retailers moving from traditional bricks and mortar into multichannel retailing meant the risk of a data breach was greater than ever before with education being the key to solving the issue.

“Such figures are alarming and could possibly wipe out some smaller retailers as well as cause a lot of brand damage to larger ones. Retailers will be surprised to learn the extent of damage a data breach can cause the industry,” he said.

“Criminals are constantly looking out for vulnerable businesses, especially those with credit card data, to conduct fraud instantly using that data.”

But learning from others’ misfortunes or vulnerabilities and applying tactical and strategic change will mean organisations are better able to reduce the likelihood of incidents and resultant data loss.

This article featured in the Sep-Nov issue of RetailBiz magazine. To subscribe to the quarterly publication click here.