The holiday season is upon us, with consumers hastily laying travel plans between time spent browsing for gifts for loved ones. During this season, a few also remember that major retail breaches have long-lasting and far-reaching effects with settlements dragging into the years and occasionally costing companies up to billions of dollars.
More recently, the public has become acquainted with point of sale (POS) breaches impacting large hotel and restaurant chains, sometimes compromising millions of consumer payment cards. Risking accusations of grinchlike behavior, BitSight researchers turned a discerning eye on the Retail and Hospitality industries to gain an understanding of their security performance.
Figure 1 displays the number of breaches that BitSight has categorized from month to month within the Retail and Hospitality industries between 2015 and 2016. For ease of comparison we have highlighted November and December in each year. It is readily apparent that both industries exhibit a sporadic breach pattern with spikes and lulls at particular points throughout the year. Retail experiences fewer incidents than Hospitality (with a few months standing out as exceptions). What is particularly surprising is that both industries show a slight decline in security events during the holidays. It is possible that controls and security practices are stepped up as the holidays approach, or that companies are simply too busy during this season to report breaches as they occur (this might also explain spikes early in the year).
BitSight’s examination of Retail and Hospitality also revealed significant differences in breach types experienced by companies in each industry. Figure 2 shows that the Hospitality industry outpaced Retail for percentage of breaches flagged as point of sale (POS) attacks while lagging slightly behind in all other categories. Both industries are commonly regarded as ripe targets for POS attacks due to the large amount of brick-and-mortar locations with exploitable payment terminals, however, retail saw a more uniform distribution of breach types with the exception of Web Application Compromise, which makes up over 25% of the incidents observed. Hospitality companies would do well to take specific actions to address their risk of POS attack such as monitoring endpoint security and ensuring data is safe behind properly configured firewalls.
The holidays result in increased revenue for large retailers and hotel chains. This increase in business can tempt attackers and it is important for businesses in all industries to proactively mitigate risk to avoid making next year’s holiday breach report.