Skip to main content
main content, press tab to continue
Campaign

Cyber spotlights on the retail, leisure and hospitality industry: Identify, assess, protect

Dive into cyber spotlights on notable incidents, latest threats, current trends, and tailored solutions for the retail, leisure and hospitality industry.

This spotlight delivers an overview of the latest cyber risks impacting the industry, including recent incidents, and emerging threat vectors. We also highlight our specialised insurance solutions designed to address the unique cyber vulnerabilities faced by organisations in these sectors. Read more from our insights to help enhance your organisation’s cyber risk management approach.

What cyber incidents have we seen from the retail, leisure and hospitality industry?

In May 2024, a hacking group called ShinyHunters accessed and stole data of over 560 million users by accessing systems of a large event ticket retailer through a cloud database hosted by a third-party service provider. According to the impacted company, the database contained personal information of certain customers who bought tickets to events in North America. The company issued a notice on their website and offered 12 months free credit-monitoring service to impacted individuals. The hacking group reportedly responsible for the attack is said to have sought USD 500,000 for personal data of 560 million users on hacking forums.

Read more here

The LockBit ransomware group claimed they were behind the attack on a Canadian pharmacy chain and have threatened to publish stolen data online following failed negotiations to pay USD 25 million ransom. The chain has since confirmed they hired third-party cybersecurity experts to conduct forensic investigation and found no evidence that their customer databases were compromised.

Read more here

In May 2024, an American high-end department store chain learned that an unauthorised third party gained access to a cloud database platform used by their business. They determined that the unauthorised third party obtained certain personal information stored in the database platform. The data included names, contact information, dates of birth, store gift card information, transaction data, partial credit card numbers, partial Social Security numbers, and employee identification numbers.

Read more here

A database of over 2.8 million records has been posted to a hacker forum along with a claim they originated from a March 2024 hack at Canadian retail chain.

In March, one of retailer‘s vendors, a company used to manage customer communications and engagement, suffered a cyber-attack, which impacted the retailer, as reported by online news outlets.

The company first learned of the security incident on March 4, 2024. On April 12, the database appeared on hacker forums. The records contain over 2.8 million unique email addresses, names, phone numbers and physical addresses. Subsequently, breach notices have been sent out to affected individuals. It has been reported that the impact on the customers will depend on their buying behaviour (e.g. home addressed leaked where the buyer elected home delivery over in-store pick up).

Read more here

On 19 July 2024, American cybersecurity company CrowdStrike distributed a faulty update to its Falcon Sensor security software that caused widespread problems with Microsoft Windows computers running the software. A number of organisations globally were effected by the incident and remained down for a number of hours, resulting in an interruption to business. Given the widespread use of Microsoft solutions, the incident ultimately impacted a wide range of industries, including, retailers and companies from leisure and hospitality sector. This incident signalises the importance of focus on non-malicious perils such as human error or system failure in cyber policies.

Read more here

A software firm serving car dealerships across the US that was roiled by a cyberattack in June appears to have paid a USD 25 million ransom to hackers as multiple sources reported to popular news outlets . The company impacted in this incident was infected with ransomware taking many of its core systems offline. As the company is a trusted provider of software services to as many as 15,000 organisations in the automotive industry, the ransomware impact was severe and resulted in weeks of downtime for many entities utilising their services. Notably, the reported USD 25 million refers only to ransom paid, with the severity of other cyber losses related to this incident remaining unknown. Reportedly, the cryptocurrency account that sent the ransom payment is affiliated with a firm that helps victims respond to ransom attacks, one of the sources said, declining to identify the firm.

Read more here

Cyber insurance claims we have seen from the retail, leisure and hospitality industry

Below is a selection of recent anonymised claims managed by WTW:

laptop-error

Accidental data breach

Customers who logged into their online accounts were shown details of other customers due to a software issue on the part of their third-party service provider.

fraud

Malicious data breach

The company’s security team detected a higher-than-normal log-in attempts to online accounts and determined the unusual activity was the result of a brute-force attack.

phishing

Ransomware

The company suffered a ransomware incident that encrypted their servers and affected multiple locations.

Social Engineering: A HR employee at the company received an e-mail from an e-mail address purporting to be an employee of the company. The email was impersonating a newly hired employee and requested information on pay days and provided account details for the company to wire their wage to.

Social Engineering

Social Engineering

A HR employee at the company received an e-mail from an e-mail address purporting to be an employee of the company. The email was impersonating a newly hired employee and requested information on pay days and provided account details for the company to wire their wage to.

Ransomware

Business disruption

The company’s central reservations system (provided by a third-party service provider) suffered an outage and, as a result, the company incurred a revenue loss.

A broker's insight: The volume of personal data collected by companies in the retail, leisure and hospitality sector continues to make the sector as a whole highly susceptible to data breaches The heavy reliance on information technology to facilitate revenue generation also continues to arguably make the sector disproportionately vulnerable to extortion threats. The recent cyber extortion event affecting CDK (see Recent Cyber Incidents) highlighted the potentially fragility of certain supply chain where industry sectors becoming reliant on a small number of vendors.

Source: WTW proprietary claims data


Cyber threat trends in the retail, leisure and hospitality sector

Increased reliance on third party distribution and fulfilment centres: Customers have increasingly high expectations around delivery timescales with nearly two thirds of global shoppers reportedly expecting 24 to 48 hours for their goods. This is driving pressure on “just-in-time” supply chains, reliance on third party logistic companies and an uninterrupted, continuous availability of their technology platforms. Disruption at one of these third party providers can have a significant impact on sales and reputation of the retailer relying on such platform.

Increasing frequency of IT supply chain attacks outages: There has been a notable increase in point of sale misconfiguration and technology outages in 2024 which have left large global retailers having to close stores until their systems were operational again. The CrowdStrike outage in July also impacted PoS systems globally and has highlighted the importance of non-malicious perils such as human error or system failure, especially in the context of cyber business interruption insuring agreements. Furthermore, events such as the incident impacting car dealerships in the United States described above bring focus to dependent business interruption coverage, both in respect of IT service providers and non-IT service providers.

Double and triple extortion techniques leverage reputational fears: large retail, hospitality and leisure organisations have a public presence, which means that a cyber-attack often becomes the headline news. Cybercriminals are acutely aware of the damage a public breach can have on these organisations. Increasingly, cybercriminals are turning to double or triple extortion techniques by crippling systems to cause service outages and infiltrate sensitive data, which they threaten to release publicly unless an extortion demand is paid. If that doesn’t secure payment, then the malicious actors threaten to launch distributed denial-of-service (DDoS) attacks.

Rising trend of SEO poisoning and brandjacking: We are seeing an increasing trend of threat actors using Search Engine Optimisation poisoning techniques to increase the position of their malicious copycat website to the top of a search page. This is done to harvest sensitive data and login credentials. Such angle of attack is particularly prevalent in industries whereby companies have a consumer exposure and are established brands. These attacks are extremely damaging for the reputation of the company and their digital trust.

Attack Vector: As Retailers and Hospitality organisations increasingly digitise their supply chains, depending on cloud-based services to protect their digital assets and host critical parts of their infrastructure, it’s imperative that organisations remain vigilant in the governance and strict management of their third-party dependencies. The CrowdStrike incident in July, although not a malicious attack, but with repercussions similar to software supply chains attack seen with Kaseya (2021) and CDK Global (2024), serves as a strong reminder of the vulnerabilities inherent in even the most robust systems. While it’s still too early to tell the final cost, it is estimated that the cost to the UK economy alone is £2.5Bn.

Learn more here

To defend against these types of systemic, supply chain events which can be either malicious or non-malicious in nature, organisations need to carefully plan, developing business impact assessments for their most critical systems and robust incident response plans. Through a clear understanding of their most vital systems, organisations can prioritize resource, response and recovery efforts effectively. Preventative steps such as conducting thorough security assessments of suppliers and enforcing strict vendor management practices and procedures including third party rollouts also play a significant role in reducing supply chain risk.

Learn more here

Our perspective on cyber market trends for the retail, leisure and hospitality industry

The Cyber insurance market has remained favourable for Retail and Hospitality clients both in regards to rate, often seeing double digit decreases, but also creativity in underwriting, which has brought numerous clients back to the Cyber insurance market after having exited in the hard market of 2020-21 when the Retail and Hospitality sector was one of the top four most severely impacted (WTW Cyber Retail & Wholesale Claims Report 2022). This was largely due to bricks and mortar clients commonly having some security controls falling below insurer requirements, typically related to legacy systems as IT budgets were impacted after the COVID-19 pandemic.

This year we have found that through the high levels of competition for core sectors such as Retail and Hospitality, rate has continued to reduce, supporting clients cost analysis on whether to increase limits or purchase Cyber coverage again. The creative underwriting demonstrated by some insurers is also producing far more favourable terms, particularly for more challenged clients without the restrictions of coverage previously experienced. WTW have secured the best result for these clients through supporting them in building deeper relationships with insurers who are willing to build a relationship for the long-term and in accordance with the clients IT roadmaps. Where we continue to see significant variation in underwriting approach and coverage, remains around privacy, in particular wrongful/ unlawful collection of personal information.

Finally, we have seen clients increasingly focus on structural leavers such as retentions to meet strict budgetary requirements and utilise analytics tools, such as WTW’s Connected Risk Intelligence, to optimise on cost efficiencies which can be generated through a portfolio lens.

How WTW can help with identifying, assessing, and protecting your business

SOLUTION

Concerned, confused, or curious?

WTW is here to help you and your organization identify, assess, and protect itself against cyber risks. Our team of cyber specialists, with years of experience in your industry, will provide you with peace of mind, allowing you to focus on your day-to-day role.

Contact us