Almost 730 retail firms worldwide experienced data breaches exposing consumer data. Businesses operating in the retail field have leaked consumers’ data more than most other industries, reveals the latest research by NordPass. Since late 2019, almost 730 retail companies have suffered data breaches during which various consumer data (e.g., email addresses, passwords, and usernames) was leaked. This places the retail industry third among the most client data leaks sectors.
To conduct this study, NordPass partnered with independent third-party researchers who investigated which companies in the retail and other industries, in terms of size, type (i.e. private, non-profit), and origin, failed to secure consumers’ data the most.
Other industries failing with clients’ data
Researchers found that entertainment and technology companies are the worst at ensuring clients’ data. However, retail companies are also not much better, with this industry having experienced similarly many cybersecurity incidents and revealing clients’ data.
Firms operating in business services and the education fields are also responsible for a significant portion of consumers’ data leaks worldwide.
Most affected countries
Of retail companies worldwide responsible for exposing clients’ data to hackers, over a fifth are based in the US. With US companies leading the list, Brazil and France follow with around 80 and 70 businesses, respectively.
“In a constantly challenged cyber environment, businesses no longer have the luxury to store consumer data in plain text on Excel or otherwise neglect basic cybersecurity practices. To avoid financial and reputational risks, companies should consider it their duty to ensure client’s data is secured against online threats, even if the legislation is not there yet,” said Tomas Smalakys, the CTO of NordPass.
Private companies are the number one target
In terms of organisation type, private businesses in the retail field were of most interest to hackers. Based on the study, they make up almost half of organisations that had their clients’ data stolen. Less so, cybercriminals have also targeted public companies (7 percent), solopreneur businesses (6 percent), and other types of organisations.
Researchers have also concluded that smaller companies are more likely to experience a data breach and lose clients’ data as a result. In the retail industry, companies with up to 50 employees had their clients’ data compromised the most.
How to secure clients’ data
Despite intensifying cyber risks, many retail businesses, especially smaller ones, lack awareness of why they should and how they should secure clients’ data.
Setting up a cyber resilience plan and organising employee training could be a good start, says Smalakys. Additionally, companies should consider network security solutions, such as business VPNs, that restrict unauthorised access to computing systems. They have proved an effective solution against malware and other malicious attacks.
Password management is another field to improve, said Smalakys. While many cybersecurity incidents happen simply due to compromised credentials, even the world’s biggest companies do not abandon poor password management practices, reveals an earlier study by NordPass. Up to 32 percent of their passwords contain a direct reference to the company, which is a gift to hackers.
To address this issue, Smalakys recommends adopting password managers, which allow people within the organisation to store, manage, and share passkeys in an end-to-end encrypted space. In addition, companies can try out passkeys, the new online authentication method currently considered the most secure alternative to passwords. Progressive companies like Google, Microsoft, Apple, PayPal, and KAYAK already allow account access with passkeys.
Methodology
The study was conducted in partnership with independent researchers specialising in research of cybersecurity incidents. They looked for databases leaked from various organisations and analysed them based on various criteria, such as country, industry, business type, size of the company, and data items’ type. The research represents the breaches that happened between December 2019 and July 2023.
