.png)
1 day ago
3
Retailers have been plagued by cyber-attacks.
The news just arrived this week that the website of Adidas had been hacked. Consumer information may have been stolen from the sportswear giant.
Their website carries this announcement:
adidas recently became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider. We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts.
Many of us have received emails from retailers or other businesses containing statements like this. We are told there has been a “breach”; in extreme cases, they offer to provide identity theft protection or monitoring for those who may have been affected.
In Britain, several recent high-profile incidents have left consumers wondering just how safe these websites are. In April, major retailer Marks and Spencer had to stop taking online orders after their site was hacked. To say this is a big deal is an understatement. Marks and Spencer has an annual global revenue of £13 billion, with over 9 million active online customers in Britain. While they anticipate a “gradual” return to full-operations, the impact of the hack is likely to linger until July.
According to the BBC, the group that might be behind the breach is called “Scattered Spider,” and they have previously attacked other British businesses including Harrods. This type of attack is particularly damaging in Britain, because such a high proportion of retail sales take place online—26.5%, compared to 18.8% in the USA (and well ahead of the European average of 15.4%). Britons also spend 9% of their incomes online.
When another UK supermarket chain, Co-op, was hacked earlier this month, it didn’t just affect online shopping. Their supply logistics went down, leaving empty shelves in stores, and payment systems disabled, meaning some branches could only take cash.
The victims are not just retailers. In 2023, hackers tried to hold the British Library to ransom. The library is one of the largest research collections in the world, and its catalogue contains millions of items. The cyber-attackers stole data and blocked visitor access to the library site, demanding a ransom of 20 Bitcoin (at the time, around £600,000) to restore service. To prove what they could do, in November 2023 the attackers released some of the stolen data onto the dark web, including personal user information.
The attack sent shockwaves through academia, as users in Britain and abroad were abruptly denied access to a major research repository, including its database of doctoral theses. Any scholars who had ever used the library had to ask how much of their data was at risk. Anyone who ever had a reader card to use the archives has his or her photo and details in the system.
It turned out that what sent so many people online (the pandemic) is what made the library vulnerable. They had established a server to allow remote access for staff and contractors; this was the weak security link that allowed an entry point for the hackers. Recovery has been slow. It took months for the catalogue to be restored, in a limited, text-only format. Now, over a year and a half later, some systems are still out of action. Those believed to be responsible, a group called Rhysida, had attacked government institutions elsewhere, including the Chilean army. The FBI has issued an alert about their activity.
One assumes the library did not pay the ransom. Plenty of companies do, although they don’t always get what was promised in return. For their part, Marks and Spencer have refused to comment on a ransom. But they admit that the break-in was the result of “human error,” and an employee of a third-party vendor fell for a “phishing” scam. Just one employee, who works for a subcontractor, can make a mistake that brings a major retailer to its knees. This recent wave of attacks should be a wake-up call.
