Retail - Privacy Desk

Card present breaches involving POS compromises or gas-pump skimmers continue to decline. Attacks against e-commerce payment applications are satisfying the financial motives of the threat actors targeting this industry.

Top 3 patterns – Web Applications, Privilege Misuse, and Miscellaneous Errors represent 81% of breaches

Threat actors – External (81%), Internal (19%) (breaches)

Actor motives – Financial (97%), Fun (2%), Espionage (2%) (breaches)

Data compromised – Payment (64%), Credentials (20%), Personal (16%) (breaches)

Illustrative breaches

Poshmark
StockX
CafePress
Walmart
Uniqlo
DiscountMugs.com
BenefitMall
Sports Direct
Bodybuilding.com
Hy-Vee
CEX
OXO
Morrison’s supermarket
Target Stores
Fresh Film Productions Dove’s ‘real people’ campaign
Dixons Carphone
National Lottery Hacker
Globalsign.in
DealerLeads
Kobe Steel Ltd.
Estée Lauder
Macy’s Inc.
Hanna Andersson
J-Crew
Le Duff America, Inc.
Select-Express & Logistics
Shopify
BigBasket
Estée Lauder
T-Mobile
NutriBullet
Nintendo
Claire’s
Boom! Mobile
Home Depot
Mercari
Amazon
Bizongo
Mercedes-Benz USA
Neiman Marcus Group
Guntrader.uk
Spreadshirt, Spreadshop, and TeamShirts
Next Level Apparel
Pro Wrestling Tees
Pulse TV
Trickbot
Graff
Panasonic
Aditya Birla Fashion and Retail Ltd
Pulse TV
Puma

Data breach – maximum fines and damages

Target Stores: In 2017, retail giant Target agreed to a $18.5 million settlement with 47 states and the District of Columbia relating to a breach in 2013 in which some 40 million credit and debit card accounts were stolen during the post-thanksgiving Black Friday sales rush. Later investigations found names, addresses, phone numbers and email addresses for up to 70 million individuals were also taken. Total costs associated with the breach reach over $200 million.

Dixons Carphone: Dixons Carphone is facing a £500,000 fine from the ICO (Information Commissioner’s Office), following a cyber attack that affected millions of customers.An investigation by the UK’s data protection watchdog found cyber criminals had compromised the retailer’s payment systems and siphoned off the credit and debit card information of 14 million customers. The £500,000 fine is the maximum possible fine under the DPA (Data Protection Act) 1998, which applied to this incident because the data breach occurred before the GDPR (General Data Protection Regulation) took effect.

National Lottery Hacker: A cyber-criminal has been jailed for nine months for committing offences against the National Lottery.Following a National Crime Agency (NCA) investigation, Anwar Batson, 29, of Notting Hill, London, was sentenced at Southwark Crown Court on 10 January. He admitted four offences under the Computer Misuse Act 1990 and one fraud charge.The NCA was notified of the attack against National Lottery accounts in November 2016. The customer database affected contained around nine million records.

Globalsign.in: The PDPC issued included a $34,000 fine imposed on marketing firm Globalsign.in for insufficiently protecting the data of its clients and for holding on to such data it no longer needed for legal or business purposes.

Enforcements

Name	Fine	Authority
A.P. Eood	EUR 5,100	Data Protection Commision of Bulgaria
Avon Cosmetics	EUR 60,000	Spanish Data Protection Authority
Spartoo	EUR 2,50,000	French Data Protection Authority
House Guard of Bournemouth	EUR 150,000	Information Commissioner Office, UK
EDP Comercializadora SA	EUR 1.5 million	Spanish Data Protection Authority (AEPD)
Highcliffe Estates Marbella, SL	EUR 8,000	Spanish Data Protection Authority (AEPD)
Brico Prive	EUR 500,000	French Data Protection Authority (CNIL)
Iren Mercato Spa	EUR 3 million	Italian Data Protection Authority (Garante)
Huppuís ehf	ISK 5 million	Icelandic Data Protection Authority (Personuvernd)
Dixons South East Europe	EUR 20,000	Hellenic Data Protection Authority (HDPA)
Hellenic Technical Enterprises Ltd.	EUR 25,000	Cypriot Data Protection Commissioner
Flowbird Italia s.r.l.	EUR 30,000	Italian Data Protection Authority (Garante)
Amazon Europe Core S.à.r.l.	EUR 746 million	National Commission for Data Protection (CNPD), Luxemburg
Monsanto Company	EUR 400,000	French Data Protection Authority (CNIL)

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

Cookie Consent