10 Major Retail Industry Cyber Attacks

Share :

To compete in an increasingly cutthroat marketplace, retailers spend vast sums in hopes of becoming household names. But brand recognition is a double-edged sword when it comes to cybersecurity.

Unlike breaches to businesses in other sectors of the economy that operate in relative obscurity, when a breach involves a major retailer it often becomes front-page news since far more people are aware of the company and may, in fact, be devoted customers.

And retailers face growing cybersecurity risks . According to Verizon’s 2021 Data Breach Investigations Report , 99 percent of the 165 incidents of data disclosure in the retail sector involved a financial motive. Unsurprisingly, many of those involved payment data, and personal data was compromised in four out of ten attacks. Cybercriminals also focused their attention on credentials, with 33 percent of incidents involving such data.

According to a separate report from Sophos on ransomware and the retail sector, 44 percent of retailers experienced a ransomware attack in 2020—and in more than half of these ransomware attacks, cybercriminals encrypted the data. The average ransom paid by retailers who gave in to the demand was $147,811.

In most cases, however, it wasn’t well spent: Only nine percent of those who paid a ransom received access to their encrypted data.

Ransom payments, unfortunately, were just a blip in the overall financial impact. Including downtime, employee labor, device and network costs, lost opportunity, and ransoms, ransomware attacks resulted in an average remediation cost of $1.97 million.

The following cyber attacks against retailers that underscore the depth and severity of the threat facing the sector.

10 of the Biggest Cyber Attacks Against Retailers

10. Guess

Between February 2 and February 23, 2021, denim and apparel giant Guess experienced a ransomware attack that included the theft of customer data . The compromised information included Social Security numbers, driver’s license numbers, passport numbers, and financial account numbers.

  • Cyber attack type: Ransomware
  • Location: Los Angeles, CA
  • Cost: Undisclosed
  • Number of people affected: Undisclosed

Guess adopted undisclosed security measures In the aftermath, and the company notified those impacted by the attack and offered a subscription to an identity theft prevention solution.

9. Forever 21

In 2018, over the course of seven months, attackers accessed payment card data of Forever 21 customers . After obtaining network access, the threat actors deployed malware to gather credit card data from the fashion retailer’s point-of-sale (POS) system. Forever 21 admitted to not previously encrypting some of its POS devices.

  • Cyber attack type: Malware targeting POS systems
  • Location: Los Angeles, CA
  • Cost: Undisclosed
  • Number of people affected: Undisclosed

Ultimately, the company settled a class-action lawsuit and agreed to pay claims for “valid out-of-pocket expenses and charges that were incurred and plausibly arose” from the incident.

8. Bonobos

It’s not only a company’s own network and systems that risk exposing sensitive data, but also those of its partners, especially when operating in the cloud. In January 2021, a 70-gigabyte SQL backup file belonging to Bonobos, the apparel subsidiary of Walmart, was stolen from a third-party cloud provider and posted in a hacker forum. The file contained 7 million shipping addresses, 1.8 million registered customer accounts, and 3.5 million partial credit card records.

  • Cyber attack type: Attack against third-party cloud provider
  • Location: Not disclosed
  • Cost: Not disclosed
  • Number of people affected: 7 million

Bonobos turned off access points, forced customer password resets, and notified customers whose information was exposed in the attack. In early 2022, a U.S. district judge dismissed a class-action lawsuit against the company pertaining to the breach.

7. Under Armour

Usernames, email addresses, and hashed passwords for approximately 150 million users of Under Armour’s MyFitnessPass were compromised when an unauthorized third party accessed the data in February 2018. The company discovered the breach on March 25, 2018.

  • Cyber attack type: Undisclosed
  • Location: New York, NY
  • Cost: Undisclosed
  • Number of people affected: 150 million

The sports equipment and apparel company disclosed that while most of the passwords were protected with “brcypt,” some of the stolen passwords were hashed using SHA-1.

6. Saks Fifth Avenue/Lord & Taylor

A 2018 malware attack against these Hudson Bay Corporation retailers’ POS resulted in the theft of more than five million credit and debit card numbers . The attackers subsequently attempted to sell the stolen data via the dark web .

  • Cyber attack type: Malware
  • Location: New York, NY
  • Cost: Undisclosed
  • Number of people affected: 5 million

The attack did not impact the companies’ digital platforms . Following the breach, customers were offered free identity protection services.

5. CVS Health

A misconfigured database with 204 gigabytes and 1.1 billion records, including customer email addresses, user IDs, and customer online search information gathered from CVS Health and CVS.com, was found publicly available and unsecured in 2021 by cybersecurity researchers.

  • Cyber attack type: Human error
  • Location: Woonsocket, RI
  • Cost: Undisclosed
  • Number of people affected: Undisclosed

The company restricted access on the same day that third-party researchers notified CVS Health of the unprotected data online.

4. eBay

Using compromised employee credentials, attackers accessed approximately 145 million eBay accounts in 2014. The online auction company acknowledged that attackers managed to copy much of the data tied to the accounts, including email addresses, birth dates, and mailing addresses.

  • Cyber attack type: Compromised employee credentials
  • Location: San Jose, CA
  • Cost: Undisclosed
  • Number of people affected: 145 million

In its response to the attack, eBay required 145 million users to change their passwords . Subsequently, in February 2021, 14 million Amazon and eBay accounts from 2014 to 2021 were sold via a hacker’s forum for $800. It is unknown if the eBay accounts were part of the 145 million accounts stolen in 2014.

3. Neiman Marcus Group

In September 2021, upscale retailer Neiman Marcus notified 4.6 million customers that a hacker had compromised online accounts in May 2020, gaining access to personal data such as usernames and passwords, customer names, contact information, credit card numbers, as well as expiration dates and virtual card numbers.

  • Cyber attack type: Not disclosed
  • Location: Dallas, TX
  • Cost: Not disclosed
  • Number of people affected: 4.6 million

Neiman Marcus forced every customer impacted by the breach to change their password if they had not already done so since May 2020, when the breach occurred. The company also created a dedicated call center to field calls from customers regarding the incident and how they might be impacted. Years earlier, Neiman Marcus paid a $1.5 million settlement related to a 2013 breach involving 370,000 Neiman Marcus credit cards—9,200 of the credit cards were found to have been used fraudulently.

Inside of a retail store, see folded shirts on display, dresses in the background.

2. Home Depot

Using a third-party vendor’s login credentials, attackers gained access to Home Depot’s network , then deployed malware designed to infect the retail giant’s POS system and gather customer payment information. Between April and September 2014 , the breach impacted 52 million customers.

  • Cyber attack type: Compromised third-party credentials/POS malware
  • Location: Atlanta, GA
  • Cost: $215 million
  • Number of people affected: 52 million

Home Depot paid $17.5 million to settle claims by 46 states and Washington, DC. That was just a fraction of the overall costs, however. The company recorded pretax expenses of $198 million related to the breach and subsequent litigation by customers, payment card issuers, and financial institutions before the settlement.

1. Target

A 2013 cyber attack involving Target exposed 41 million payment cards and contact information for approximately 70 million customers. The attack focused on a third-party vendor via a spear-phishing attack designed to steal user credentials . Once threat actors compromised Target’s network, they installed malware to seize customer data over the course of two months.

  • Cyber attack type: Spear phishing/malware
  • Location: Minneapolis, MN
  • Cost: $290 million (approx.)
  • Number of people affected: 70 million

In the aftermath of the breach, Target’s CEO left the company . To resolve claims from 47 states and Washington, DC, Target paid $18.5 million . Previously, the company also agreed to pay $39.4 million to banks and credit unions that lost money due to the breach. All told, including remediation, consulting fees, and other payments, the breach cost the company about $290 million.

The Pressing Need for Cybersecurity

With a vast wealth of payment data, personal information, and user credentials, retailers will continue to attract keen attention from sophisticated attackers. Cybersecurity, therefore, must always be a top priority for retailers if they hope to avoid becoming victims of cybercrime, prevent inadvertent disclosure, and protect the vast amount of customer data in their possession.

Learn more how Arctic Wolf provides retailers with customized security operation solutions, including round-the-clock, on-demand access to a dedicated team of security experts with extensive expertise helping businesses develop, maintain, and scale their cybersecurity defenses.

Additional Resources

Arctic Wolf

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Share :
Table of Contents
Subscribe to our Monthly Newsletter