<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Cyber Risks

Data Breaches Within the Retail and Hospitality Industries

Ryan Heitsmith | November 28, 2017

The holiday season is upon us, with consumers hastily laying travel plans between time spent browsing for gifts for loved ones. During this season, a few also remember that major retail breaches have long-lasting and far-reaching effects with settlements dragging into the years and occasionally costing companies up to billions of dollars.

More recently, the public has become acquainted with point of sale (POS) breaches impacting large hotel and restaurant chains, sometimes compromising millions of consumer payment cards. Risking accusations of grinchlike behavior, BitSight researchers turned a discerning eye on the Retail and Hospitality industries to gain an understanding of their security performance.


Figure 1

Figure 1 displays the number of breaches that BitSight has categorized from month to month within the Retail and Hospitality industries between 2015 and 2016. For ease of comparison we have highlighted November and December in each year. It is readily apparent that both industries exhibit a sporadic breach pattern with spikes and lulls at particular points throughout the year. Retail experiences fewer incidents than Hospitality (with a few months standing out as exceptions). What is particularly surprising is that both industries show a slight decline in security events during the holidays. It is possible that controls and security practices are stepped up as the holidays approach, or that companies are simply too busy during this season to report breaches as they occur (this might also explain spikes early in the year).


Figure 2

BitSight’s examination of Retail and Hospitality also revealed significant differences in breach types experienced by companies in each industry. Figure 2 shows that the Hospitality industry outpaced Retail for percentage of breaches flagged as point of sale (POS) attacks while lagging slightly behind in all other categories. Both industries are commonly regarded as ripe targets for POS attacks due to the large amount of brick-and-mortar locations with exploitable payment terminals, however, retail saw a more uniform distribution of breach types with the exception of Web Application Compromise, which makes up over 25% of the incidents observed. Hospitality companies would do well to take specific actions to address their risk of POS attack such as monitoring endpoint security and ensuring data is safe behind properly configured firewalls.

The holidays result in increased revenue for large retailers and hotel chains. This increase in business can tempt attackers and it is important for businesses in all industries to proactively mitigate risk to avoid making next year’s holiday breach report.

Learn how BitSight Security Ratings enables cabela's to streamline vendor risk management and improve security posture.

BitSight Vendor Risk Management Case Study Cabela's

Suggested Posts

BitSight EXCHANGE Recap: Takeaways from the Inaugural Forum

On October 10th, BitSight’s inaugural EXCHANGE forum, the premier event for security and risk professionals, took place at the Intercontinental New York Times Square. Over the course of this one-day event, distinguished business and...


Streamline Your Bank's Third-Party Vendor Management Risk Assessments

Banks and other financial institutions are a proving ground for new risk management methods. High risk and intense regulations feed into a culture of serious, comprehensive security — a culture that has manifested in mature methodologies...


Quantifying Cybersecurity Risk: A Beginners Guide

In a 2017 survey of almost 1,300 CEOs conducted by PwC, 63% of respondents said they were “extremely concerned” about cyber threats — up from just 8% in 2013.


Subscribe to get security news and updates in your inbox.