A SecurityScorecard report released on November 20, 2024, shows that 97% of the top 100 US retailers experienced third-party data breaches in the past year, underscoring critical vulnerabilities in the retail sector ahead of the holiday shopping rush.

The report analyzed over 14,000 domains linked to the top 100 US retailers, with a focus on the importance of strengthening security as cyber threats escalate during the busiest shopping season of the year.

With the vast amount of sensitive customer data retailers handle — such as payment information and personal identifiers —third-party breaches pose significant risks. Cybercriminals target this data for identity theft, fraud, and other malicious activities.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, highlighted the urgency of addressing these vulnerabilities:

“In the hustle to keep up with holiday sales, retailers must not let their guard down. Cybercriminals are lurking, ready to exploit any distraction. A single data breach could devastate a company’s bottom line and irreparably damage consumer trust. With all eyes on retailers in the coming month, they can’t afford to stand still. It’s imperative to prioritize security — not just for themselves, but for their vendors as well.”

Here are some of the key findings from the report:

  • 97% of retailers faced third-party breaches, while 97% also experienced fourth-party breaches (from only 2% of vendors).
  • All of the top 20 US retailers reported third-party breaches.
  • Only 12 retailers were directly compromised.
  • Retailers with a “B” security rating are nearly three times more likely to experience breaches compared to those with an “A” rating. However, only 20% of retailers have an “A” rating.

Based on its findings, SecurityScorecard also released a number of recommendations for retailers to help mitigate the risk of future cyber incidents:

  • Monitor external attack surfaces with automated scanning tools
  • Identify and mitigate single points of failure across supply chains
  • Ensure external technologies supporting e-commerce platforms are secure

Considering a number of high-profile retail cyberattacks this year, these findings are not too surprising. Hot Topic recently fell victim to a cyberattack that compromised the data of 56 million consumers. As hackers get more creative, data leaks are not the only cyber threat the industry faces. Cybercriminals were recently found to have hacked thousands of online stores to post fake product listings that scammed the user, for example.