Card present breaches involving POS compromises or gas-pump skimmers continue to decline. Attacks against e-commerce payment applications are satisfying the financial motives of the threat actors targeting this industry.

Top 3 patterns – Web Applications, Privilege Misuse, and Miscellaneous Errors represent 81% of breaches

Threat actors – External (81%), Internal (19%) (breaches)

Actor motives – Financial (97%), Fun (2%), Espionage (2%) (breaches)

Data compromised – Payment (64%), Credentials (20%), Personal (16%) (breaches)

Illustrative breaches

  • Poshmark
  • StockX
  • CafePress
  • Walmart
  • Uniqlo
  • BenefitMall
  • Sports Direct
  • Hy-Vee
  • CEX
  • OXO
  • Morrison’s supermarket
  • Target Stores
  • Fresh Film Productions Dove’s ‘real people’ campaign
  • Dixons Carphone
  • National Lottery Hacker
  • DealerLeads
  • Kobe Steel Ltd.
  • Estée Lauder
  • Macy’s Inc.
  • Hanna Andersson
  • J-Crew
  • Le Duff America, Inc.
  • Select-Express & Logistics
  • Shopify
  • BigBasket
  • Estée Lauder
  • T-Mobile
  • NutriBullet
  • Nintendo
  • Claire’s
  • Boom! Mobile
  • Home Depot
  • Mercari
  • Amazon
  • Bizongo
  • Mercedes-Benz USA
  • Neiman Marcus Group
  • Spreadshirt, Spreadshop, and TeamShirts
  • Next Level Apparel
  • Pro Wrestling Tees
  • Pulse TV
  • Trickbot
  • Graff
  • Panasonic
  • Aditya Birla Fashion and Retail Ltd
  • Pulse TV
  • Puma

Data breach – maximum fines and damages

  • Target Stores: In 2017, retail giant Target agreed to a $18.5 million settlement with 47 states and the District of Columbia relating to a breach in 2013 in which some 40 million credit and debit card accounts were stolen during the post-thanksgiving Black Friday sales rush. Later investigations found names, addresses, phone numbers and email addresses for up to 70 million individuals were also taken. Total costs associated with the breach reach over $200 million.
  • Dixons Carphone: Dixons Carphone is facing a £500,000 fine from the ICO (Information Commissioner’s Office), following a cyber attack that affected millions of customers.An investigation by the UK’s data protection watchdog found cyber criminals had compromised the retailer’s payment systems and siphoned off the credit and debit card information of 14 million customers. The £500,000 fine is the maximum possible fine under the DPA (Data Protection Act) 1998, which applied to this incident because the data breach occurred before the GDPR (General Data Protection Regulation) took effect.
  • National Lottery Hacker: A cyber-criminal has been jailed for nine months for committing offences against the National Lottery.Following a National Crime Agency (NCA) investigation, Anwar Batson, 29, of Notting Hill, London, was sentenced at Southwark Crown Court on 10 January. He admitted four offences under the Computer Misuse Act 1990 and one fraud charge.The NCA was notified of the attack against National Lottery accounts in November 2016. The customer database affected contained around nine million records.
  • The PDPC issued included a $34,000 fine imposed on marketing firm for insufficiently protecting the data of its clients and for holding on to such data it no longer needed for legal or business purposes.


A.P. EoodEUR 5,100Data Protection Commision of Bulgaria
Avon CosmeticsEUR 60,000Spanish Data Protection Authority
SpartooEUR 2,50,000French Data Protection Authority
House Guard of BournemouthEUR 150,000Information Commissioner Office, UK
EDP Comercializadora SAEUR 1.5 millionSpanish Data Protection Authority (AEPD)
Highcliffe Estates Marbella, SLEUR 8,000Spanish Data Protection Authority (AEPD)
Brico PriveEUR 500,000French Data Protection Authority (CNIL)
Iren Mercato SpaEUR 3 millionItalian Data Protection Authority (Garante)
Huppuís ehf
ISK 5 millionIcelandic Data Protection Authority (Personuvernd)
Dixons South East EuropeEUR 20,000Hellenic Data Protection Authority (HDPA)
Hellenic Technical Enterprises Ltd.EUR 25,000Cypriot Data Protection Commissioner
Flowbird Italia s.r.l.EUR 30,000 Italian Data Protection Authority (Garante)
Amazon Europe Core S.à.r.l.EUR 746 million National Commission for Data Protection (CNPD), Luxemburg
Monsanto CompanyEUR 400,000French Data Protection Authority (CNIL)