The doors are locked, the systems are down, and business has come to a halt – it’s the fear all Canadian retailers face. And when a cyber attack succeeds, we all feel the impact.
Cybersecurity in the Canadian retail sector has again made headlines in recent weeks with the attack on London Drugs. But before anyone passes judgement, it’s important to understand the cyber challenges faced by the retail industry. Especially given that the retail sector is a vital part of our economy, contributing over $66.7 billion a month to the GDP, and employing millions of people from coast to coast to coast. As more and more shopping moves online and retailers collect and store a growing range of sensitive financial and personally identifiable information (PII), the risk of cyber attacks and data breaches has grown as well.
Ensuring the cybersecurity of Canadian retailers is essential to protecting the economy and consumer trust. However, many retailers face an enormous challenge in acquiring the resources and expertise needed to comprehensively secure their systems. Having worked with some of the country’s largest retail organizations on safeguarding their customers’ security and privacy, we thought it important to share our expertise and advice on how to fight back.
In this two-part series, we speak to Gerard Dunphy, ISA Cybersecurity’s Offering Leader – Detection, Response & Recovery, to share his insights on retail cybersecurity. Gerard is one of Canada’s foremost experts on managing cyber incidents and has been involved in the recovery efforts after some of the country’s highest-profile cyber attacks. In part one of the series, Gerard identifies some of the key risks, vulnerabilities, and challenges faced by retailers every day. In part two, he discusses strategies retailers can take to identify and mitigate cyber risk to protect consumers and themselves from damaging cyber incidents.
Q: What are some the unique cyber challenges faced by Canadian retail?
Gerard: Retail organizations collect large amounts of sensitive customer data – such as credit and debit card information – as well as other personally identifiable information. This makes them a lucrative target for cyber criminals who can use this information fraudulently, hold it for ransom to extort money from the organization, and/or sell it on the dark web.
A key challenge facing retailers comes in the form of their digital sales channels. E-commerce isn’t new, but certainly the pandemic caused many retailers of all sizes to pivot to online sales. Speed to market and data collection were the key factors, not necessarily security. The more you know about a customer’s shopping behaviour and preferences, the more you can customize and personalize the experience to enhance sales. And while it’s tempting to think that everyone has gone back and completely assessed their infrastructure to reduce their cybersecurity risk, it hasn’t been easy amid the current financial situation – not to mention the ongoing challenges to find and retain cyber expertise. This leaves potential security gaps and vulnerabilities which acts like a welcome mat for cyber threat actors looking to attack a target environment.
Another area that I’d say poses a greater threat for retail than many other sectors is the use of IoT. Retail organizations have seen a significant increase in the use of inter-connected devices, from inventory control to warehouse operations. And, of course, there are lots of point-of-sale devices that may be exposed to the general public unless properly secured and monitored. According to a recent report, retail has the third highest number of unique IoT devices of any sector, and generates the most IoT data traffic of any sector. All of these devices increase an organization’s attack surface, giving the bad guys more areas to exploit. To reduce this risk, those devices need to be configured, patched and managed, and the data they generate needs to be monitored, segmented, and secured. It’s a lot of work!
Finally, a cyber challenge that is magnified in the retail sector is the staff profile. Personnel can range from full-time permanent to seasonal part-time help. You’ve got all kinds of different people bringing in their own devices, using corporate systems, and handling point-of-sale devices and other equipment. This makes a cohesive security awareness program more complex to implement and administer. Hackers just need a single opportunity to deploy malware, so if everyone isn’t fully trained and fully invested in security, there’s a heightened risk that someone could get duped by a phishing email or click on a bad link on the Internet. As the first line of defense against cyber attack, human resilience is key.
Q: What are the main tactics used by cyber criminals in targeting the retail sector?
Gerard: In my experience, ransomware and phishing attacks are the key challenges for retailers and the internal staff, while infostealers – be they on e-commerce sites or affecting IoT devices like point-of-sale (POS) equipment – are a key area of concern. In retail, we typically see money as being the prime motivation for criminals – as opposed to hacktivism or system destabilization – so their tactics are designed to facilitate that end. Cyber criminals who can access the wealth of personal and financial information warehoused by retailers have a variety of opportunities available to them. As I mentioned, they can offer this data up for sale on the dark web. They can use personal details to pivot to launch identity theft, or leverage stolen credentials to pivot and attack other targets. This is why we strongly encourage people to never use the same password for more than one service. Attackers are finding that obtaining valid credentials is an easier route to achieving their goals and objectives, so the abuse of valid accounts has seen a dramatic rise. Consider a recent report from IBM (a partner of ISA Cybersecurity), which explains that valid account abuse accounts for 30% of incidents handled by their X Force team.
Cyber criminals are typically gaining access by using traditional social engineering tactics like phishing, business email compromise, and malware deployment. While ransomware continues to reign supreme as the weapon of choice for threat actors that target large high-value organizations or entities, organized data theft and extortion cases have been notably rising in popularity. We’ve seen major ransomware incidents in the Canadian retail sector in recent months. In a 2024 study, a 76% increase was reported in the number of victims named on dedicated leak sites between 2022 and 2023.
Q: You mentioned infostealers: tell us a little more about that.
Gerard: In contrast to some of the social engineering approaches used by cyber criminals, in which the human element is exploited, infostealers are usually silent and hidden. Malware can reside on an e-commerce website or portal, and when unsuspecting customers login or enter the financial data for payment, that information will be scraped from the site. Those credentials can then be exploited on the spot, or put on the dark web for resale or extortion. The end user has no idea it’s even happened. And while the hackers don’t get “bulk data” as they would from breaking into a database, they are getting a steady stream of fresh and current data, which is attractive for criminals.
Infostealers play a part in IoT compromise as well, particularly with POS terminals. Here, the malware plays a man-in-the-middle role, so account user credentials and payment card data can be silently harvested from transactions, and again sold on the dark web or otherwise used by cyber criminals to commit cyber crimes ranging from network access to credit card fraud to identity theft.
Join us next week for Part 2 of our conversation with Gerard Dunphy.
ISA Cybersecurity is one of Canada’s leading cybersecurity-focused companies. We specialize in cyber services and solutions for the retail sector. We work with some of the country’s largest retail organizations to safeguard their customers’ security and privacy and help them adopt a cost-effective proactive approach to cybersecurity. Let’s talk about how we can help your business today!
