Retail and financial services websites at highest risk from cyber attacks

With Black Friday (28 November) and Cyber Monday (1 December) upon us, many retailers are expected to offer a plethora of deals and discounts. A new report by security firm Imperva, however, is raising fresh concerns over the security of retail websites and applications.

Targets and attacks

The Web Application Attack Report (WAAR) found that 48.1% of all attack campaigns targeted retail websites, while 10% targeted financial institutions. Websites containing some form of consumer information suffered up to 59% of the attacks.

Based on a time period of nine months, from 1 August 2013 to 30 April 2014, the results revealed that 40% of all SQL injection attacks and 64% of all malicious HTTP traffic campaigns target retail websites.


Source: Web Application Attack Report #5

WordPress was the most attacked content management system (CMS) according to the report, suffering 60% more cross-site scripting (XSS) incidents than all other CMS-run websites combined. Websites run on WordPress were attacked 24.1% more than websites running on all other CMS platforms combined.


Source: Web Application Attack Report #5

The above revelations help paint a fuller picture of the overall online threat landscape if looked at in conjunction with the findings from Arxan Technologies’ third annual State of Mobile App Security report, according to which 87% of iPhone and 97% of Android top 100 apps were hacked in 2014. Android apps in general, and financial services apps in particular, were found to be the least secure.

Cyber attack sources

Imperva’s analysis of the geographic distribution of the attack sources for different attack types showed that the United States generates the majority of the web application attack traffic worldwide.

The table below (originating from WAAR) shows the top ten countries with the largest amounts of malicious traffic, per attack type.


Source: Web Application Attack Report #5

The stakes are high

It was during November-December a year ago that Target suffered one of the most embarrassing and harmful breaches in retail history. At the time, the company allegedly received a report of malware in their system – before it suffered a massive data breach – but decided not to act. The hackers worked at unprecedented speed, carrying out their operation during the peak of the Christmas sales season (according to a Reuters report).

This is the time of the year when consumers who rush to shop in-store or online are probably at greatest risk of data theft (including name, address, credit card details and more). It’s also during this period that cyber criminals are most active, capitalising on the holiday mayhem.

Make security a part of everyday businesses processes

Organisations that store, transmit or process cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS).

IMRG (the UK’s industry association for e-retail) has reported that the overall rate of compliance among e-retailers when it comes to PCI DSS compliance is as low as 11.1%. This is alarming news considering that nearly 87% of merchants experiencing breaches were not compliant. Compliance with PCI Requirement 11, which covers regular vulnerability scanning and penetration testing of processes, applications and networks, is only 40%. (Source:

Compliance with PCI DSS should not be a box-ticking exercise.

The new version mandates that security should become part of everyday business processes.

If the PCI DSS is relevant to you, you need to act now to comply with PCI DSS v3, which comes into force in January 2015. Learn how these resources can help you.

 1912  1337  PCI DSS v3 SAQ Workshop
PCI DSS – A Pocket Guide PCI DSS v3 Documentation Toolkit PCI DSS v3 SAQ Workshop