Cybercrime is big business and retail targets are sitting firmly in the crosshairs.

A report published by cybersecurity firm Shape Security provided an insight into the current threat landscape of the retail industry with statistics showing that between 80% and 90% of logins into customer-facing retail websites are hackers using stolen credentials. This type of attack is known as a credential stuffing attack, which is the process of using previously stolen credentials coupled with advanced Artificial Intelligence (AI) to attempt millions of logins to a customer-facing website with the goal of gaining access to multiple accounts.

In October 2018 and February 2019, US retail giant Dunkin’ Donuts was faced with two separate data breaches, both the result of credential stuffing attacks. Attackers accessed up to 300,000 consumers personally identifiable information (PII) including names, email addresses and Dunkin’ Donuts loyalty credit information. Subsequently, this information was then listed on popular dark web markets for sale. As a result of these data breaches, in September 2019, the state of New York formally filed a lawsuit against the franchise citing “Dunkin’ failed to protect the security of its customers”.

Data breaches such as those experienced by Dunkin’ Donuts can have multiple implications on an online business, including:

1. Financial implications and costs in relation to incident forensics and reporting, as well as associated costs of downtime in the event that the attackers actions take the organisation offline; and
2. Reputational damage as a result of the data breach can damage company brand in the broader market. This can lead to a lack of trust from consumers in relation to storing their personal information. If customers don’t trust you with their information they might switch to a competitor.

The below diagram highlights how businesses can protect their customers information and assets.