Card present breaches involving POS compromises or gas-pump skimmers continue to decline. Attacks against e-commerce payment applications are satisfying the financial motives of the threat actors targeting this industry.
Top 3 patterns – Web Applications, Privilege Misuse, and Miscellaneous Errors represent 81% of breaches
Threat actors – External (81%), Internal (19%) (breaches)
Actor motives – Financial (97%), Fun (2%), Espionage (2%) (breaches)
Data compromised – Payment (64%), Credentials (20%), Personal (16%) (breaches)
Illustrative breaches
- Poshmark
- StockX
- CafePress
- Walmart
- Uniqlo
- DiscountMugs.com
- BenefitMall
- Sports Direct
- Bodybuilding.com
- Hy-Vee
- CEX
- OXO
- Morrison’s supermarket
- Target Stores
- Fresh Film Productions Dove’s ‘real people’ campaign
- Dixons Carphone
- National Lottery Hacker
- Globalsign.in
- DealerLeads
- Kobe Steel Ltd.
- Estée Lauder
- Macy’s Inc.
- Hanna Andersson
- J-Crew
- Le Duff America, Inc.
- Select-Express & Logistics
- Shopify
- BigBasket
- Estée Lauder
- T-Mobile
- NutriBullet
- Nintendo
- Claire’s
- Boom! Mobile
- Home Depot
- Mercari
- Amazon
- Bizongo
- Mercedes-Benz USA
- Neiman Marcus Group
- Guntrader.uk
- Spreadshirt, Spreadshop, and TeamShirts
- Next Level Apparel
- Pro Wrestling Tees
- Pulse TV
- Trickbot
- Graff
- Panasonic
- Aditya Birla Fashion and Retail Ltd
- Pulse TV
- Puma
Data breach – maximum fines and damages
- Target Stores: In 2017, retail giant Target agreed to a $18.5 million settlement with 47 states and the District of Columbia relating to a breach in 2013 in which some 40 million credit and debit card accounts were stolen during the post-thanksgiving Black Friday sales rush. Later investigations found names, addresses, phone numbers and email addresses for up to 70 million individuals were also taken. Total costs associated with the breach reach over $200 million.
- Dixons Carphone: Dixons Carphone is facing a £500,000 fine from the ICO (Information Commissioner’s Office), following a cyber attack that affected millions of customers.An investigation by the UK’s data protection watchdog found cyber criminals had compromised the retailer’s payment systems and siphoned off the credit and debit card information of 14 million customers. The £500,000 fine is the maximum possible fine under the DPA (Data Protection Act) 1998, which applied to this incident because the data breach occurred before the GDPR (General Data Protection Regulation) took effect.
- National Lottery Hacker: A cyber-criminal has been jailed for nine months for committing offences against the National Lottery.Following a National Crime Agency (NCA) investigation, Anwar Batson, 29, of Notting Hill, London, was sentenced at Southwark Crown Court on 10 January. He admitted four offences under the Computer Misuse Act 1990 and one fraud charge.The NCA was notified of the attack against National Lottery accounts in November 2016. The customer database affected contained around nine million records.
- Globalsign.in: The PDPC issued included a $34,000 fine imposed on marketing firm Globalsign.in for insufficiently protecting the data of its clients and for holding on to such data it no longer needed for legal or business purposes.
Enforcements
Name | Fine | Authority |
A.P. Eood | EUR 5,100 | Data Protection Commision of Bulgaria |
Avon Cosmetics | EUR 60,000 | Spanish Data Protection Authority |
Spartoo | EUR 2,50,000 | French Data Protection Authority |
House Guard of Bournemouth | EUR 150,000 | Information Commissioner Office, UK |
EDP Comercializadora SA | EUR 1.5 million | Spanish Data Protection Authority (AEPD) |
Highcliffe Estates Marbella, SL | EUR 8,000 | Spanish Data Protection Authority (AEPD) |
Brico Prive | EUR 500,000 | French Data Protection Authority (CNIL) |
Iren Mercato Spa | EUR 3 million | Italian Data Protection Authority (Garante) |
Huppuís ehf | ISK 5 million | Icelandic Data Protection Authority (Personuvernd) |
Dixons South East Europe | EUR 20,000 | Hellenic Data Protection Authority (HDPA) |
Hellenic Technical Enterprises Ltd. | EUR 25,000 | Cypriot Data Protection Commissioner |
Flowbird Italia s.r.l. | EUR 30,000 | Italian Data Protection Authority (Garante) |
Amazon Europe Core S.à.r.l. | EUR 746 million | National Commission for Data Protection (CNPD), Luxemburg |
Monsanto Company | EUR 400,000 | French Data Protection Authority (CNIL) |