Skip to main content
Security Scorecard

2015 Retail & eCommerce Security Report: Web Application Security Issues Are Rampant And Prolific

Posted on November 23rd, 2015

NEW YORK, Nov. 23, 2015 /PRNewswire/ -- SecurityScorecard, the leading security-risk benchmarking company, announced today findings from its 2015 Retail & eCommerce Security Report which details security trends and problem areas affecting both businesses and consumers this holiday season. SecurityScorecard finds the retail industry suffers from pervasive web application weaknesses from legacy software systems which are soft targets for attackers once inside a company's network.

The report analyzed the top and bottom 10% of retailers collected from SecurityScorecard's proprietary industry data. These retailers represent roughly 200 retail companies and was collected and analyzed from July through October 2015.

There were no e-commerce retailers that were exempt from web application issues. Also, many retailers that our researchers analyzed found companies need to improve the security of servers by hardening their configurations. In the recent past, hackers have found entry points via third party vendors and partners. The target? Customer credit card and other personally identifying information (Social Security Numbers, home addresses, email addresses, phone numbers, etc.) attackers use for fraud and identity theft.

"Attackers seek to access the 'dumps' from customer credit card magstripes (underground slang for the track data stored on a card's magnetic stripe)," said Alex Heid, Chief of Research, at SecurityScorecard. "They will scan ranges of IP addresses looking for remote administration protocols and then use common or pilfered credentials for access."

Top Performers

  • Top retailers are faring well in network security, the frequency of patching, and the lack of exposure of employee passwords on the hacker underground.
  • Companies that rank at the top also have lower malware infection rates.
  • A few of the top retailers include name brands in clothing (Guess), fast food (Quiznos), and sporting goods (Dick's Sporting Goods). More of the top performing retail companies can be found in the report here.

Bottom Performers

  • Three-fourths (74%) of retailers that rank in the bottom 10% struggle with keeping their employee passwords secure.
  • Nearly 40% of bottom ranking retailers are not patching their systems in a timely fashion.
  • Bottom performers ranked very poorly for malware infection rates in the middle of summer in July, but gradually improved their standing in October.

"For bottom performing retailers, we noticed issues in the frequency of fixing vulnerabilities, so companies need to put robust and rapid patching policies in place in their security programs," said Dr. Aleksandr Yampolskiy, CEO and Co-founder, SecurityScorecard. "We also found too many instances of corporate login and password credentials found on the underground, so retailers need to improve security awareness training for employees. For the application issues, secure coding training for developers is a must."

Consumers lining up to shop at stores on Black Friday or purchase gifts on Cyber Monday and beyond this holiday shopping season should understand that credit cards and other personal information are always a target for hackers, so consumers should be vigilant about monitoring their statements and credit services for fraudulent activity. Holiday shopping season is widely known to see increases in attack attempts on retail and eCommerce websites.

Dr. Yampolskiy also advises that consumers do not use or visit eCommerce websites of companies they have never heard of before, and to monitor their credit card and bank accounts for suspicious charges.

Download the report here.

Companies that want to receive a free, graded security score should visit:

About SecurityScorecard's Benchmarking Service
SecurityScorecard allows organizations to benchmark the security of any partner, competitor, supplier, vendor, any third party or company— without requiring permission. Compare any company's security performance against other organizations within the same industry in real time. The platform is completely self service, making it the most business ready and technically-sound security risk benchmarking platform in existence today.

The proprietary foundation of the platform is the ThreatMarket™ data engine that collects over 30 million daily security risk signals from the entire Internet. SecurityScorecard collects and grades the security risk of companies in the following ten categories and factors: Web Application Security, Network Security, Endpoint Security, IP Reputation, Patching Cadence, Password Exposure, Hacker Chatter, Social Engineering, DNS Health, and CubitTM Score, a metric that assesses common system configurations.

About SecurityScorecard
SecurityScorecard was founded in 2013 by two former Chief Information Security Officers, Dr. Aleksandr Yampolskiy and Sam Kassoumeh. SecurityScorecard is made up of veteran security researchers, cryptographers, data scientists, and software engineers. The company is privately held with headquarters in New York City. Security Scorecard investors include Sequoia Capital, Evolution Equity Partners, Boldstart Ventures, and others.

Join us in making the world a safer place.