US retailers lead world in data breaches

Dive Brief:

U.S. retailers lead the world in security breaches, according to the 2018 Thales Data Threat Report, Retail Edition. U.S. retail data breaches more than doubled since the last Thales report, rising to 50% from 19% in the 2017 survey. The global average of retail executives reporting data breaches is 27%.
Additionally, the number of U.S. retailers reporting a data breach at any time in the past is up to 75% with half of those occurring in the last year. Of global retailers, 60% report at least one breach in the past. As a result, U.S. retail is now the second most breached segment analyzed by Thales, trailing the U.S. federal government only slightly and ranking ahead of healthcare and financial services.
While 84% of the U.S. retailers polled are increasing information technology security spending, which is up from last year's 77% and exceeds global retail's 67%, the Thales report said that the spending is "in all the wrong places." The spending is highest on security measures regarded as least effective.

Dive Insight:

In a truly dubious accomplishment, retail has emerged as the world leader in data breaches. Big numbers and bad news for U.S. retailers characterized a recent report from Thales eSecurity. Data breaches increased significantly last year, and while retailers are spending big to counter them, the report said the money is not being spent well.

Significant breaches have already been reported this year, building on a trend seen over the last few years. Retailers reporting significant breaches recently included: Macy's and Bloomingdales, Adidas, Panera Bread, Under Armour, Chipotle, and Hudson Bay Co's Saks Fifth Avenue, Saks Off 5th and Lord & Taylor. In previous years the list included Kmart, Buckle and Eddie Bauer. Many of the reported breaches involved months-long attacks on point-of-sale systems.

"This year's significant increase in data breach rates should be a wakeup call for all retail organizations," said Peter Galvin, chief strategy officer of Thales eSecurity, in a press release announcing the study's findings.

According to the Thales report findings, significantly more U.S. retail respondents plan to increase IT security spending this year, as compared with last year, in keeping with other industry predictions. Increased spending on IT and cloud technologies overall was confirmed by a Retail Systems Research survey, which found 72% of 158 retailer representatives reporting that IT spending would increase in the next three years.

The most effective defenses against security breaches, as cited by 91% of U.S. retail respondents, were analysis and correlation tools, followed by data-in-motion defenses (90%), the Thales report said. Endpoint and mobile defenses were rated least effective, but they ranked highest in planned spending increases by U.S. retailers.

Ranked by spending priority, defensive technologies that deliver higher effectiveness ranked at the bottom of retailers' planned investments, with 57% and 62% of U.S. retailers planning to implement data-at-rest and data-in-motion measures respectively.

"While nearly 95% of retailers acknowledge vulnerability to data breaches, now almost half recognize they are extremely vulnerable. This is an increase of 30% from the previous year," said Garrett Bekker, principal analyst for information security at 451 Research, in the press release. "While this trend can be partially attributed to U.S. retailers aggressively pursuing a multi-cloud strategy, these organizations continue, year after year, to spend on the same security solutions that worked for them previously."

"With increasingly porous networks and expanding use of external resources (SaaS, PaaS and IaaS most especially), traditional endpoint and network security are no longer sufficient to protect sensitive data, he said. Bekker provided the best practice data and security recommendations in the report.