Verizon: Hackers put retail payment card data at risk

Dan Berthiaume
Senior Editor, Technology
Dan Berthiaume profile picture
fraud magnifying glass
Verizon research shows hackers are after payment card data.

Retailers have a specific set of consumer data that draws the attention of cybercriminals.

According to the 2023 Verizon Data Breach Investigations Report, the most common type of data compromised in a sample of 406 retail data breach incidents (193 with confirmed data disclosure) was payment (37%). Other frequently targeted types of retail data include credentials (35%) and personal (23%).

Verizon found that 100% of studied retail data breaches had financial motivation, while 1% were also motivated by espionage. Almost all of the threat actors were external (94%), with 7% of breaches including internal actors and 2% including multiple actors or actors from partners.

Almost nine in 10 studied breaches were committed using either system intrusion, social engineering, or basic web application attacks. In addition, Verizon found that cybercriminals targeting retailers often use “Magecart” attacks which secretly embed malicious code into an e-commerce site’s credit card processing page.

[Read more: Casting a defensive spell against Magecart attacks]

This allows the criminals to steal customers’ payment data without actually affecting the functionality of the website. Currently, Verizon estimates Magecart attacks represent about 18% of retail data breaches. This form of data breach first rose to prevalence in 2019.

“While the same three patterns dominate this industry as many others, Retail has the added bonus of being targeted for its payment card data in addition to common threats like ransomware and basic web application attacks,” Verizon said in the report.

Study: U.S. data breaches rise 83% from 2020-2022

According to the “2023 State of the Omnichannel Fraud Report” from consumer credit reporting agency TransUnion, 4.6% of all customers’ digital transactions globally were suspected to be fraudulent from 2020-2022.

However, because the number of transactions conducted digitally has substantially risen in the last few years, the total volume of suspected digital fraud attempts has increased dramatically.

Globally, TransUnion data indicates digital fraud attempts have increased by 80% from 2019 to 2022, while rising 122% for digital transactions originating in the U.S. during that time. The gaming and retail industries saw the highest rate of suspected digital fraud at 7.5% and 7.2%, respectively. The number of overall data breaches in the U.S. increased by 83% from 2020 to 2022.