Data thieves go after Adidas, other sports and fitness sites
Time marches on – and so do data thieves. Consistent with their approach of targeting specific business segments, the Adidas breach reveals a pattern of going after sporting goods and health and fitness related companies. It comes on the heels of several additional breaches effecting consumers including one a few months impacting Under Armour’s MyFitnessPal app in April, which hit about 150 million accounts. Under Armour uses the food and nutrition app to promote its e-commerce sales. Also in April, a breach of Panera Bread’s website, exposing 37 million customer records, became known. Panera has cultivated an image of being a health-oriented fast-casual restaurant. It fits the pattern.
Other recent data breaches of retail entities included the point-of-sale systems at some Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores last year, which led to the theft of about 5 million credit and debit card numbers. That breach of the three Hudson’s Bay Co. retail brands was said to be the biggest and most damaging in retail.
There have been data breaches that resulted from malware being planted on the POS systems in stores operated by The Buckle, Eddie Bauer, Kmart and Forever21. Sears alerted customers to a “security incident” on April 4 that also affected Kmart and Delta airlines, which uses the same online support service as Sears, reported Business Insider. Best Buy, Saks Fifth Avenue, Lord and Taylor, Sonic, Whole Foods, Gamestop and Arby’s are also on Business Insider’s list of retailers breached in the last year.
A commonality between the Panera and Ticketmaster UK breaches was a hesitation to reveal the damage immediately. Adidas avoided that trap.
“Each time a new data breach is disclosed from a ‘trusted’ retailer, consumer trust in that brand diminishes,” said Joe Stuntz, vice president of cybersecurity at One World Identity in a statement emailed to Retail Dive. “To Adidas’ credit, they disclosed the breach quickly, because, as we’ve seen with other incidents, no breach stays secret for long, and the appearance of attempting to cover it up can further weaken consumer confidence in that brand.”
The growth of e-commerce and mobile payments has resulted in a large opportunity for hackers to infiltrate retail databases and steal customer data, said George Avetisov, CEO of HYPR in an emailed statement. “From this year’s Saks Fifth Avenue breach to now Adidas, the common thread these incidents share is the centralization of massive amounts of customer data – this includes payment and retail account login details, bank card numbers and more. This creates a large attack surface and an easy, single point of failure that hackers love,” he said.
“Retailers and payment service providers need to remove the target through decentralization, where customer data is stored on the customer’s mobile device. This removes the target and forces hackers to go from device to device to attempt obtaining even one set of credentials, which will ultimately deter them. If not, we can expect to see more of these retail breaches in 2018,” Avetisov said.