While not being in the worst performing sector for security, retail is one of the biggest targets for attackers and a number of breaches hit the headlines in 2015, the most well known being chain store Target. As retailers process a large volume of payments, they are an obvious target for the theft of financial data, used in theft and identity fraud or just sold to the highest bidder through the dark web. In a 2014 report, 48.1% of all web attacks were found to be targeting the sector, which also suffered 1 in 13 of all data breach incidents.

A new report from Security Scorecard examines the weaknesses found in a number of surveyed retailers and gives recommendations on how threats can be mitigated.

How does the sector compare?

When examining the full variety of eighteen sectors such as finance, government, education, legal and telecommunications, retail was placed seventh. Most notably, it ranked lower than the health sector, which was of particular focus last year for its lagging security measures and high profile breaches. The major finding in the case of the retail sector is that all retailers examined were found to have serious web application security flaws.

SecurityScorecard industry graph

What are the key risks?

The pull-out statistics from this report are that 74% of retailers failed the password public exposure test done, which means researchers were easily able to hijack customer accounts. Also, 40% of retailers failed to measure up in their patching cadence, meaning numerous web application vulnerabilities were left available for attackers to exploit. Most worryingly, some of the highest profile retailers studied had their database servers publicly exposed running MySQL and Hadoop. That’s millions of user records just waiting to be scooped up and sold.

All of these facts are of increasing concern considering the rapid growth of multichannel marketing, which naturally leads to growth in online payments. This is also an issue when it comes to technology spending as many retailers choose to prioritise growth over security. For example, researchers found that a number of retailers are still relying on legacy systems and misconfigured web applications to process and store customer information. Outdated and insecure technologies such as ColdFusion, Classic ASP and PHP are still being used in checkout processes, despite their vulnerabilities being well known.

So where are retailers going wrong?

The weakest of the retailers studied also showed other issues including a significant volume of malware, open ports, poor network security and password exposure. Many were far behind in patching vulnerabilities, instead relying on only a firewall to keep out attackers. In many cases, the admin portals were accessible on either the domain space itself or the IP address range.

Overall, 100% of the retailers studied had at least one of the following issues:

  • OWASP top 10 vulnerabilities.
  • A popular CMS such as WordPress, Drupal or Joomla with either a publicly exposed admin portal and/or vulnerable themes and templates.
  • Legacy web application software.
  • Legacy business administration web apps hosted on subdomains.
  • Installation default files left on servers.
  • Network portals available on public facing internet.

Another challenging issue for the retail sector is that not only do they need to protect the data of their own customers, they also have to consider potentially fraudulent card use. Hackers are known to target certain sites which are known as ‘cardable’, i.e poor at detecting stolen credentials. While less high profile, if a retailer becomes known to those which have their details stolen as being unlikely to spot the fraudulent use of their card, then the retailer’s’ reputation for security will still suffer. It may be less likely to hit the headlines, but with the millions of fraudulent transactions carried out such discoveries are bound to have some impact.

What measures are recommended?

One correlation noted is that retailers with larger domain footprints were at greater risk so keeping network territories to a minimum would be a good step to take. Another obvious measure would be the budget given to security, the top performing sector of finance spends the most on its security and consequently is the most secure. A strong security team should start by addressing the weaknesses noted above, i.e patch better, address the OWASP top 10, replace legacy systems, prevent access to admin portals, make database servers less available and address CMS vulnerabilities such as outdated themes and insecure templates.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.