Skip to main content
Security Scorecard

Critical Security Issues Plague 100% of Biggest Holiday Retailers

Posted on December 6th, 2016

NEW YORK, Dec. 6, 2016 /PRNewswire/ -- All retailers should take extra security precautions during this holiday season. SecurityScorecard, the leader in security ratings, has found hackers have more opportunities than ever to infiltrate retailer networks. Today the company released its 2016 Biggest Holiday Retailers Cybersecurity Report - a comprehensive analysis exposing frightening cybersecurity vulnerabilities across 48 of the biggest U.S retailers. As sales continue to shatter records, major retailers are failing to keep up with critical processes needed to protect shoppers from being compromised.

SecurityScorecard studied the 48 largest retailers as indicated by the National Retail Federation. More than 50 percent may have failed to meet the Payment Card Industry's Data Security Standards. Issues discovered include malware infections, use of end-of-life products, weak network security and low security awareness among employees.

"In my previous role as a Chief Information Security Officer with a large retailer, this time of year is always tough for security professionals. With more consumers, more transactional data, and more credit cards to steal, the holiday shopping season is an ideal time for a hacker to attack," said Sam Kassoumeh, Co-Founder and COO of SecurityScorecard. "Our analysis indicates that even the most secure retailers could be susceptible to a breach. Additionally, previously installed and dormant malware could be activated during this time of year to capitalize on a larger score. If a hacker decides to take action while organizations scramble to keep up with an uptick in sales activity, attacks are more likely to be successful."

Among the report's other key findings are:

  • 100% of the Biggest Holiday Retailers were found to have multiple issues with domain security, which increases the risk of hackers impersonating a retailer's site and falsifying a checkout form to obtain a user's credit card information.
  • Over 90% of the Biggest Holiday Retailers have an SPF Record missing, which increases the risk of an email spoofing attack reaching consumers.
  • Nearly 80% of the Biggest Holiday Retailers may not be using intrusion detection or prevention systems to monitor all traffic within the cardholder data environment.
  • In October 2016, 83% of the Biggest Holiday Retailers had unpatched vulnerabilities.
  • All bottom performing holiday retailers have a D or lower in Network Security, suggesting that their network may have an unaccounted access point ready to be exploited.
  • 62% of the Biggest Holiday Retailers were using end-of-life products in the last month, which make them more susceptible to a number of attacks or exploits.
  • 43% of the Biggest Holiday Retailers were infected with malware between April and June 2016.

In addition to system vulnerabilities, SecurityScorecard also found many of the Biggest Holiday Retailers also had employees who lacked training in basic security best practices.

"The Biggest Retailers' last place ranking in Hacker Chatter and Social Engineering complicates things further for their internal security. Low Social Engineering scores are indicative that an organization's employees are vulnerable to attacks that prey on a lack of knowledge," continued Mr. Kassoumeh.

The 2016 Biggest Holiday Retailers Cybersecurity Report analyzed the security ratings of the 48 biggest U.S. retailers over a seven-month period between April 1st and October 31st, 2016. These retailers were selected from the NRF's 2016 Top 100 Retailers list. The conclusions and rankings featured in the report are based on data derived from SecurityScorecard's patented security rating platform. For more information about these findings, download the full report.

About SecurityScorecard

SecurityScorecard provides the most accurate rating of security risk for any organization worldwide. The proprietary SaaS platform helps enterprises gain operational command of the security posture for themselves and across all of their partners, and vendors. It provides continuous, non-intrusive monitoring for any organization including third and fourth parties. The platform offers a breadth and depth of critical data points not available from any other service provider including a broad range of risk categories such as Application Security, Malware, Patching Cadence, Network Security, Hacker Chatter, Social Engineering and Leaked Information. To receive a free SecurityScorecard assessment and consultation for your business, visit

SOURCE SecurityScorecard

Related Links

Join us in making the world a safer place.