When crooks can't get to the data, they take down the website
Even though a denial-of-service attack on an e-commerce site is not classified as a breach because data is usually not compromised, the 2018 Verizon Data Breach Investigations Report claims it is a growing menace to merchants who rely solely on their websites.
Of 317 incidents reported in the retail sector last year, 169 had confirmed data disclosure. Of those 317 incidents, 85 were denial-of-service attacks designed to halt business on a site by overloading it with requests or dismantling connections to host servers, according to the Verizon research.
Verizon breaks down its annual research by reporting overall incidents and citing the number of those incidents that resulted in actual data compromise.
"Those who live by the sword are destined to die by the sword, we're told," the report said. "The retail sector equivalent is that those whose livelihood relies on their website shall die by the website when a DoS attack hits."
In the physical retail world, payment card skimmers remain a concern at POS terminals with 81 incidents reported. Web application attacks at 73 incidents and Crimeware malware at 26 were also prevalent problems in retail.
For all of the incidents, 93% were performed by external threats, the report said, while 7% were perpetrated internally.
Web servers were under attack 156 times and gas pump terminals 66 times, according to the research.
Retailers need to extend their loss prevention mentality beyond cameras and security guards "to rein in old-fashioned shoplifting" to also identify tampering of any card processing device — especially for gas pumps, Verizon said.
However, the low number of only 10 RAM scraping, or POS memory scraping, malware incidents indicates that retailers of all sizes are restricting access to the retail payment card information environment from the internet, while also strengthening authentication processes.
In all breach categories, Verizon cited 53,000 incidents and 2,216 confirmed data breaches last year. In addition to retail, categories included education, financial and insurance, health care, manufacturing, public administration, hotel and food services.
Health care organizations were the top victims in absorbing 24% of the breaches. Denial of service was the most common type of attack overall with 21,409 incidents, while phishing through social media triggered 1,192 attacks.
In a signal that companies and organizations still don't have prolific warning systems in place, 68% of all breaches took months or longer to discover, the report said.