The number of cyberattacks against retailers has dropped by 50 percent over the last two years, but thieves are getting much more data from a typical attack, according to new data from IBM — and much of it is coming directly through flawed e-commerce websites, Silicon Angle reported.
IBM said 61 million records were stolen from retailers in 2014, down from 73 million in 2013. However, after excluding the biggest attacks of each year — 2013’s attack on Target and 2014’s Home Depot attack — cyberthieves got away with 43 percent more retail data in 2014 than they did the previous year.
Meanwhile, attacks and breaches dropped off significantly during 2014’s Black Friday and Cyber Monday. The average daily number of attacks during the two weeks surrounding 2014’s Black Friday (Nov. 24 to Dec. 5) was 3,043, down from 4,200 for the same period in 2013. The number of successful breaches was cut in half, from 20 breaches (exposing almost 4 million records) in 2013 to 10 breaches (exposing just over 72,000 records) in 2014.
Despite that apparent slowdown, retailers and wholesalers are now the top industry target for cyberattackers, up from fifth place in 2013 among industries under heavy attack.
IBM also found that the memory-scraping software used in the Target and Home Depot breaches has been supplanted by arbitrary command and SQL injections as the most popular means of attack, with those two techniques accounting for the “vast majority” of attacks that the company recorded. That shift indicates that thieves are now attacking through e-commerce websites that don’t validate data that’s typed into a Web screen and instead feed it directly to a database — a failure of basic website security on the part of e-commerce developers.