Card present breaches involving POS compromises or gas-pump skimmers continue to decline. Attacks against e-commerce payment applications are satisfying the financial motives of the threat actors targeting this industry.

Top 3 patterns – Web Applications, Privilege Misuse, and Miscellaneous Errors represent 81% of breaches

Threat actors – External (81%), Internal (19%) (breaches)

Actor motives – Financial (97%), Fun (2%), Espionage (2%) (breaches)

Data compromised – Payment (64%), Credentials (20%), Personal (16%) (breaches)

Illustrative breaches

  • Poshmark
  • StockX
  • CafePress
  • Walmart
  • Uniqlo
  • BenefitMall
  • Sports Direct
  • Hy-Vee
  • CEX
  • OXO
  • Morrison’s supermarket
  • Target Stores
  • Fresh Film Productions Dove’s ‘real people’ campaign
  • Dixons Carphone
  • National Lottery Hacker
  • DealerLeads
  • Kobe Steel Ltd.
  • Estée Lauder
  • Macy’s Inc.
  • Hanna Andersson
  • J-Crew
  • Le Duff America, Inc.
  • Select-Express & Logistics
  • Shopify
  • BigBasket
  • Estée Lauder
  • T-Mobile
  • NutriBullet
  • Nintendo
  • Claire’s
  • Boom! Mobile
  • Home Depot
  • Mercari
  • Amazon
  • Bizongo
  • Mercedes-Benz USA

Data breach – maximum fines and damages

  • Target Stores

In 2017, retail giant Target agreed to a $18.5 million settlement with 47 states and the District of Columbia relating to a breach in 2013 in which some 40 million credit and debit card accounts were stolen during the post-thanksgiving Black Friday sales rush. Later investigations found names, addresses, phone numbers and email addresses for up to 70 million individuals were also taken. Total costs associated with the breach reach over $200 million.

  • Dixons Carphone

Dixons Carphone is facing a £500,000 fine from the ICO (Information Commissioner’s Office), following a cyber attack that affected millions of customers.An investigation by the UK’s data protection watchdog found cyber criminals had compromised the retailer’s payment systems and siphoned off the credit and debit card information of 14 million customers.

The £500,000 fine is the maximum possible fine under the DPA (Data Protection Act) 1998, which applied to this incident because the data breach occurred before the GDPR (General Data Protection Regulation) took effect.

  • National Lottery Hacker

A cyber-criminal has been jailed for nine months for committing offences against the National Lottery.Following a National Crime Agency (NCA) investigation, Anwar Batson, 29, of Notting Hill, London, was sentenced at Southwark Crown Court on 10 January. He admitted four offences under the Computer Misuse Act 1990 and one fraud charge.The NCA was notified of the attack against National Lottery accounts in November 2016. The customer database affected contained around nine million records.


The PDPC issued included a $34,000 fine imposed on marketing firm for insufficiently protecting the data of its clients and for holding on to such data it no longer needed for legal or business purposes.


A.P. EoodEUR 5,100Data Protection Commision of Bulgaria
Avon CosmeticsEUR 60,000Spanish Data Protection Authority
SpartooEUR 2,50,000French Data Protection Authority
House Guard of BournemouthEUR 150,000Information Commissioner Office, UK
EDP Comercializadora SA EUR 1.5 million Spanish Data Protection Authority (AEPD)
Highcliffe Estates Marbella, SL EUR 8,000 Spanish Data Protection Authority (AEPD)
Brico Prive EUR 500,000 French Data Protection Authority (CNIL)
Iren Mercato SpaEUR 3 million Italian Data Protection Authority (Garante)
Huppuís ehfISK 5 millionIcelandic Data Protection Authority (Personuvernd)