Skip to main content
close search
site logo

Black Friday cybersecurity responsibility falls to customers

Cybercriminals feed on shoppers with weak personal cyber hygiene. Have companies done enough to protect customers?

Published Nov. 27, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Markus Spiske on Unsplash

First published on

CIO Dive

Hoards of people lining up at Walmart's storefront is the classic Black Friday image. 

Instead of going out at 2 a.m. for a deal, shoppers can stay in bed and shop online. It's easier for them and the bad actors who want to steal payment information. 

In the month leading up to the shopping holidays, there was a 400% increase in phishing activity, according to research from cloud-based security company Zscaler.

Black Friday and Cyber Monday sale emails have been flooding consumer inboxes, but retailers won't say "anything about your transaction being secure [or] anything about what they're doing to secure the data from a technology standpoint," Jerry Ray, COO of SecureAge, told CIO Dive. 

"When I look at our sales cycles, and when I look at the sales cycles of partners of ours who sell other products, we've never noticed that the holidays have increased [security spending] for any enterprise customers."

Jerry Ray

COO, SecureAge

Retailers ensure compliance with various regulatory programs for privacy, or updating payment processing systems and antivirus software, but "I haven't seen investment in new tools or infrastructure for any reason other than capacity," said Ray. "When I look at our sales cycles, and when I look at the sales cycles of partners of ours who sell other products, we've never noticed that the holidays have increased [security spending] for any enterprise customers." 

Researchers estimate about 6,000 potential e-commerce phishing sites are live on the web and expect 3,000 more by the end of the year, according to NormShield.

Cybercriminals feed on customers shopping on a potentially malicious site or inputting personal data into a corrupt link.

The bad actors in the hacker group Magecart (which has been behind many cybersecurity headlines this year) skim sites for payment data through point-of-sale portals by "injecting JavaScript" into popular sites, according to Zscaler. The malware can track cookies, locating where data is stored and how it travels. 

Magecart is "smart enough to check for old card details," and once a card is validated, it sends the details back to the hacker.

Shopper discretion is advised

As holiday shopping heats up, secure shopping practices fall on the customer, not the retailer. 

"Organizations aren't necessarily going to be forthcoming in relation to their particular cybersecurity strategy," Carl Wearn, head of e-crime at Mimecast, told Retail Dive's sister publication CIO Dive. But a general statement "establishing or guaranteeing a minimum level of security that can be expected in terms of the encryption or the security of data is likely to be seen as a significant step in the right direction." 

The U.S. Department of Homeland Security's Cyber and Infrastructure Security Agency (CISA) issued a warning earlier this month for consumers. "Be aware of potential holiday scams and malicious cyber campaigns, particularly when browsing or shopping online," the agency said.

Last week Macy's confirmed a data breach, which occurred for one week in October. The breach was a result of a "highly sophisticated and targeted data security incident," the company said.

Hackers potentially compromised customers' names, addresses, phone numbers and payment card data, though mobile transactions were left untouched, according to the retailer. 

While there is heightened awareness of data use, companies have to be sensitive to data security.

"I would expect that any organization dealing with large quantities of personal data to comply with best practice in relation to its storage and security, at the very least by following the guidance set down by frameworks such as NIST and the UK's National Cyber Security Center," said Wearn. 

Even the most diligent consumers can't defend themselves from a "highly sophisticated" cyberattack. "The overwhelming majority of attacks remain less-sophisticated," prompting human error-based compromises, according to Mimecast's Threat Intelligence Report. Ninety percent of cyberattacks stem from human error. 

"The more individuals are aware of their own use of technology and how that can render them vulnerable, the more knowledgeable and capable they will become in securing themselves," said Wearn.

Filed Under: Technology, Holidays

Editors' picks

Company Announcements

View all | Post a press release
New report profiles America's biggest Christmas gifters
From YouGov America
November 14, 2024
SRS Real Estate Partners Adds Commercial Real Estate Veteran Chris Stewart to Bolster Owner Se…
From SRS Real Estate Partners
November 14, 2024
RDSolutions Unveils Rebrand and Comprehensive Service Suite to Optimize Retail Performance and…
From RDSolutions
November 05, 2024
VSSL Gear Elevates the Outdoor Coffee Experience with New Partnerships, Expanded Product Lines…
From VSSL Gear
November 06, 2024
Editors' picks
Latest in Technology
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell