Canadian Retailer - Holiday 2015 - 33

THE toll hackers have taken on business has been im-

mense. Over the past five years, breaches to data have
cost businesses billions in direct and indirect costs,
and reputations have been battered and bruised-especially the personal reputations of those poor souls
caught with their pants down in the Ashley Madison
hack earlier this year.
The good news in the bad news about hacking is
that retailers don't face any threats that are specific
to their industry. Indeed, the styles and ferocity of attacks on retailers are the same as the attacks made on
those in other industries.
The other good news is that many retailers have
moved to protect themselves through investments in
technology and-crucially-the deployment of a new
role in the organization to spearhead security efforts-
the chief information security officer.
The long road to CSIOs

nology-are an easy entry point into the retailer's
systems. Hackers can quickly infect a POS device
on the store floor-in particular loosely guarded selfcheckout terminals. It is also plausible for hackers to
infect POS systems with malware during the manufacturing of the device, as has happened with some
smartphones and MP3 players, although the industry
has yet to see any evidence of such a breach.
The sameness of POS devices and the supporting
technological infrastructure can prove a boon for
inventive hackers. The same software runs across
an entire store's network, allowing hackers who can
break into one store to replicate their success at every
other store in the chain. This is bad news for competing retailers, since many businesses use the same
store technologies. Breaking into one chain teaches
hackers how to digitally smash and grab at another.
Adding to the severity of the threat is the centrality of POS devices to the store systems. Many chains
network their POS systems directly into the head
office and a breach of a POS device can give hack-

Retailers have been hit hard by organized hackers.
The 2013 attack on Target bled 40 million credit and
debit card numbers along with the personal records of 70 million shoppers. "It's a fantastic move. These roles (chief information
That one breach forced Target to insecurity officers) are all about identifying security risks.
vest $100 million in updating its payment terminals. Banks, also victims of It's recognition that security requires an investment."
the hack, had to put out at least $240
- MARK NUNNIKHOVEN, Trend Micro
million to replace all the stolen cards.
AN AUDITOR'S STORY
That's just one attack. A breach of The Home Depot's
A security audit tests a retailer's defenses against
servers-a breach made possible using the same mala hack. Pozhogin recently spoke to an auditor who
ware used against Target-saw 56 million customer
infiltrated a retailer's computer systems. As Pozhorecords fall into the hands of criminals. Twelve hungin explains it, the audit shed light on how the store
dred store databases were accessed during an attack
protects its data-and how it thinks about threats.
on Kmart in 2014. Winner's, Michael's and Neiman
The auditor entered a store in a U.S. retail chain
Marcus were also compromised. The list goes on, and
dressed in an employee uniform. He told the floor
staff that he needed to get into the back so he could
it will likely grow longer.
check something on the server. One of the floor staff,
How these hacks happen isn't a mystery, says Andhappy to oblige, walked the auditor into the server
rey Pozhogin, senior product manager at technology
room and left him alone.
company Kaspersky Lab North America. Many of
The auditor brought his tools. He opened his case,
the companies attacked simply were not prepared to
plugged in, and began digging into the store's comdefend themselves from a hack-unprepared for even
puter systems.
the unsophisticated attacks seen recently.
Fortunately, the store's LP team became aware of
the strange visitation. They descended on the server
"Bad practices," Pozhogin says of the reason for
room and detained the auditor.
some of the breaches. "If [these companies] had run
"But days later, he's still on the servers," says Pozhoscans, most solutions would have detected the vulnergin, after having found a way into the store's systems
ability." In some of these hacks, he says, it appears as
through a crack in the online security.
though the servers did not run security programs. If
The auditor's conclusions are notable. He found that
they did, the security patches were so dated that the
the retailer was so scared of employees and threats
programs didn't notice the presence of malware on
from the inside that it ignored the obvious external
threats. The store is very good at protecting the hard
the company's servers.
stuff-the merchandise, the server room-and very
However, breaches are also happening for reasons
good at monitoring people. But, at least in this case,
other than outdated software or bad practices. One
non-physical assets are less secure. That's the danger.
of the key reasons is technology, specifically POS
"Everything is interconnected," says Pozhogin. "Acsystems. A white paper by Trend Micro outlines the
cess one, get it all."
numerous ways POS devices-the store's central techwww.retailcouncil.org/cdnretailer

HOLIDAY 2015 | CANADIAN RETAILER

| 33

http://www.retailcouncil.org/cdnretailer

Table of Contents for the Digital Edition of Canadian Retailer - Holiday 2015