The Growing Threat of Data Breaches in Grocery
With every year that passes, data breaches become a bigger and more frightening threat for retailers. In 2016, nearly 1,000 cases were reported, the highest number since The Identity Theft Resource Center, in San Diego, began keeping records in 2005.
And grocers are a hot place for data criminals. According to research from Chicago-based fraud protection firm Rippleshot, they make up the No. 1 channel for data breaches in terms of the percentage of compromised accounts.
Today, there are two common forms of breaches that all retailers face: at-rest-data breaches and malware-type breaches, according to Lynn Holland, VP of merchant solutions at ACI Worldwide, an electronic payment solutions provider based in Naples, Fla.
Those incidents concerning at-rest payment data involve settlement files that haven’t been sufficiently secured for storage and transmission to an acquirer. These aren’t too difficult to protect oneself from, Holland notes, as stronger Payment Card Industry Data Security Standard (PCI) controls, network security and encryption help secure the data center. And now tokenization can secure the settlement and back-office processes for merchants, replacing the clear card number with a secure token for all post-authorization processes that secures the consumer’s data while still allowing the merchant’s back-office processes to operate.
“As a token would imply, they have a number, but it’s not the number on the credit card,” says Josh Hartinger, manager, electronic payment technologies at Commerce, Calif.-based wholesaler Unified Grocers. “So if it gets stolen, it doesn’t have any value.”
More alarming and tricky is when self-replicating malware is introduced into the in-store environment, infecting servers in a location and sniffing out card data being passed from payment terminals and the POS platform to be sent for authorization.
“This breach targets the in-store IT environment, which is much harder to physically secure than a hardened central data center,” observes Holland.
The Malice of Malware
Arguably the most significant malware incident on a food retailer in recent memory is Minneapolis-based Target’s incident in 2013, when criminals broke into the retailer through its HVAC service provider, and then placed a self-replicating program that moved from store to store.
“This malware took up residence in the memory of all servers it infected and sniffed for payment-card data flowing through these servers,” Holland explains. “As clear card data was sent from a payment terminal to the POS payment application, it was recorded and sent back to the criminals’ network.”
Overall impact of the malware on Target was significant, as it went public before the holiday season. The breach exposed approximately 40 million debit and credit card accounts over less than one month.
But smaller retailers typically see most of the breaches, Hartinger says, and a lot of them lose so much business as a result, they have to close up shop altogether.
One solution, Holland offers, is to introduce point-to-point encryption technology to the payment process.
“This uses the same type of encryption technology and processes that have been in use to protect debit card PINs,” she says, “and removes the transmission of any non-encrypted card data from the process, rendering these memory-sniffer-type malware attacks ineffective.”
Things Get Tricky
Among malware attacks, ransomware is especially troubling and a growing concern, especially for smaller chains and independents, according to Collin Hite, a data security expert based at the Richmond, Va., office of law firm Hirschler Fleischer.
“Ransomware attacks have exploded in the last two years,” says Hite, who leads the data privacy and security group of the firm’s insurance recovery group. “The ability for cybercriminals to use ransomware is so easy, and the low cost to obtain such software essentially allows anyone to become an overnight hacker.”
Hartinger concurs: “We are hearing reports from retailers that their office systems have been subject to ransomware. It is limited, but something for them to be aware of.”
Typically, a criminal infiltrates a system through a phishing email that a negligent employee opens, which deploys the software into the computer network, locking up the network when a program is activated and holding it for a ransom, sometimes for up to $100,000. It can be incredibly costly both time- and money-wise to unlock the system, so victims often just pay the ransom, almost always required in bitcoin format.
Loretto Foodland, an independent grocer in Loretto, Ky., was one such victim, when one morning in 2015, computers began displaying “crazy messages” and locked up, with cash registers following hours later. When an IT vendor discovered that Russian criminals had hacked and compromised the system, the grocer chose to purchase new computers rather than pay the ransom. While this was an ideal solution for an indie like Loretto, it’s typically not for larger chains. Hite says grocers must ensure they have a robust backup system ready in case of a strike.
But while the culprits in the Loretto ransomware incident were remote, others can easily strike internally via other methods. Skimming, for instance, remains a real threat to grocers, Hartinger says. In such an incident, criminals can put an interface between the payment terminal and the person running information on it, which gets them the data they seek. While some technology works against it, it’s critical for grocers to, first and foremost, maintain their environment, keeping watch over who touches terminals, and restricting access.
“We have seen where retailers just let people go behind … and touch the terminals,” he notes, “and nobody thought anything of it.”
An Etiquette Lesson
Grocers, like all retailers, must have a fully functioning cyberprogram in place for security purposes, Hite asserts. This includes a full risk assessment for data protection, development and implementation of a written information security program, development and testing of an incident response plan for cyberevents, vendor vetting and cyberstandards imposed on them, and PCI compliance.
But training employees to be mindful of their actions and those happening around them is also critical to maintaining security. Grocers should consider:
Paying attention to the “security sandwich”: The gap that leads to big breaches typically happens between the times of planning and completing delivery of features or upgrades, according to Babs Ryan, principal of the retail division of Chicago-based technology consultancy ThoughtWorks. This is called the “security sandwich” — when lots of upfront planning and discussion about security takes place, as well as post-development testing and fixes, but with little or no security in between.
Minimizing the unnecessary and eliminating the unneeded: If you don’t need data, then don’t collect it. Additionally, when information is no longer needed, it should be found and digitally shredded. “Old, forgotten data is dangerous,” Hite cautions. “Eliminate what you no longer need.”
Understanding their network and security’s place in it: Grocers should review network logs for unauthorized activity — and make sure that their security professionals do the same, Hite stresses. Further, security shouldn’t be limited just to the IT department — make sure that the entire organization creates and respects a culture of privacy that prioritizes security as the basis for all operations. Keeping systems up to date, making sure unauthorized people can’t approach terminals, requiring more secure passwords, keeping an eye on employee equipment so it doesn’t get stolen, and training employees not to open questionable links or emails all play a role in respecting a culture of security.