U.S. Retailers: How A Grinch Will Steal Your Holiday This Year

On top of a challenging economic year, retailers, e-tailers, and their customers face a growing threat this holiday season: the rise in cyber-attacks. While businesses have lived with this threat ever since the birth of online sales, this season will be different for several reasons.

Our cursory scans of the Top 30 U.S. Retailer’s online ecosystems revealed that nearly 83% have a potential ecosystem vulnerability that could lead to a cybersecurity breach. The following is what we discovered in our research about these organizations as we are in the middle of the all-important holiday shopping season.

 

This Holiday Season A Perfect Cybersecurity Storm Has Been Growing On The Horizon

30%
Spike in online purchases

In order to limit their exposure to Covid-19, consumers have increased their e-commerce purchases. In the first half of 2020 online purchases spiked by roughly 30% (US Census Bureau). The holiday season will likely exacerbate this trend.

57%
Improving cybersecurity is a top priority

Prior to Covid-19 the Retail industry as a whole was heavily investing in Digital Transformation initiatives to improve their customer’s experience. According to BDO’s 2020 report on Retail Digital Transformation, cybersecurity is a top priority for these initiatives.

Online Ecosystems, How Vulnerable Are The Top U.S. Retailers?

In preparation for this blog post we used Cyberpion’s Ecosystem Security platform to perform a single pass, external scan of the online ecosystems of the Top 30 U.S. Retailers, including names such as Walmart, Amazon, Kroger, Costco and more. Our goal is to understand this vertical industry as a whole in order to provide insights and benchmarks that may help all Retailers when investing in cybersecurity solutions. For a more detailed explanation of what online ecosystems are, please read more here.

Retailers, especially online retailers, are likely to use substantial online infrastructures that would include multiple domains and sub-domains (consider the need for language, region, brand, product and mobile app specific sites), which in turn would incorporate hundreds, if not thousands, of connections to third-party providers for tracking, behavior, analytics and advertising services. In turn, these third-party providers would be connected to additional providers to assist in their service provisioning. Ultimately, these connections would lead to thousands of javascript code, image, and font resources. All of these elements, connections, and infrastructure are possible attack vectors for a hacking attempt.

Key Numbers:
Online Ecosystem Stats – Top 30 Retailers

2,054
Average number of domains and sub-domains within ecosystem
1,131
Average number of connected third-party resources
26,998
Average number of total connections
1,203
Average number of cloud instances used within ecosystem

Finding The Needle In This Ecosystem Haystack

When you understand that a vulnerability could be hiding anywhere within this ecosystem of domains, resources, connections and cloud instances you can see how challenging the job of understanding your risk can be. The security team must not only be able to discover every element within the ecosystem, they must then assess the potential risk within each element. Fortunately, this is the challenge that Cyberpion answers with ease.

Key Numbers:
Online Ecosystem Vulnerabilities – Top 30 Retailers

Note: The following findings come from a one-time vulnerability assessment on the public-facing assets of these organizations. A deeper and continuous scan of these infrastructures would likely indicate MORE vulnerabilities.

23%

CRITICAL VULNERABILITIES:

Cyberpion discovered that nearly a quarter (23%) of the top 30 U.S. retailers have at least one COMPROMISED ASSET under the control of hackers, not the retailer.

30%

CRITICAL VULNERABILITIES:

Cyberpion discovered that nearly one-third (30%) of the top 30 U.S. retailers have an asset that was ABUSED or STILL UNDER ABUSE as part of a global hacking campaign.

43%

CRITICAL VULNERABILITIES:

Cyberpion discovered vulnerabilities in nearly half (43%) of the top 30 U.S. retailers have a vulnerable asset that COULD BE exploited and represents an immediate risk.

83%

CRITICAL VULNERABILITIES:

Cyberpion discovered that most (83%) of the top 30 U.S. retailers have connections to a VULNERABLE third-party asset.

What Happens Next?

While the scope of this blog post doesn’t cover the nature and potential damages that these vulnerabilities could represent for these retailers and their customers, the risks and damages are very real. Online ecosystems, the third-party assets and infrastructures that your organization connects to, represent a growing and significant attack surface for your organization.

The impact of Covid-19, the trend of Digital Transformation, and the rise in online purchase for this holiday season will only increase the likelihood that these vulnerabilities will be discovered and exploited by today’s threat actors.

 

Final Thoughts

While we’ve used the Top 30 U.S. Retailers for this post online ecosystems, and their inherent vulnerabilities, are not limited to U.S.-based, large, or only Retail organizations. In this era of hyper-connected online infrastructures it is likely your organization has a vulnerability hiding in its online ecosystem. If you are a cyber-security representative of your organization (of any size) we encourage you to contact us immediately to get a free single-pass scan of your online ecosystem!

Let Us
Show You.

What Do You Really Know About The
Security Posture Of Your Digital Ecosystem?

See the risks you’re exposed to with a vulnerability assessment.