Not all of these threats are a new strain of malware or software vulnerability. Some are older tactics adapted to new targets, such as a partner or a new digital channel. In other cases, the brands overlooked an obvious threat due to overconfidence or excessive skepticism.
Whether the threat stems from technology or human nature, fraudsters are exploiting any opening they can.
This listicle is compiled from reporting by PaymentsSource writers including John Adams, Kate Fitzgerald and David Heun. Click the links in each item to read more.
Going after partners to get at card data
Expedia was quick to issue a mea culpa, but that's likely little comfort to brands like Amextravel.com, the company's consumer travel portal, which partnered with Orbitz on the back end to serve business-travel customers. Amex may have had no hand in the breach, but it definitely took a reputational hit from the customers that it had to notify.
"[This is] more an example of the brand risk associated with relying on third-party providers," said Julie Conroy, a research director at Aite Group.
Expedia said the current Orbitz.com website was not involved — rather, the attack affected an older database that may have been accessed between October and December 2017. Orbitz partner data, booked through external sites such as Amex Travel between between Jan. 1, 2016, and Dec. 22, 2017, may have also been impacted.
The incident demonstrates that merchants face a greater burden to protect data that may be tainted from a prior breach at a third party. Retailers already lose about 8% of their annual revenue to costs associated with fraud, according to Javelin, and more layers of security could cost more.
"While this reinforces the need for all businesses to have a thorough vetting of their partners’ data security controls, the reality is that the cyber-threat landscape is moving so fast that it’s hard for even the large and sophisticated firms to keep pace," Conroy said. "The only data beyond attackers' reach is the data that has been devalued through tokenization and encryption technologies."