Research reveals loyalty programmes as target for data breach

Worldwide: Akamai, a platform for security and digital experiences, has launched a report detailing criminal activity that targets the retail, hospitality and travel sectors between July 2018 and June 2020.

The State of the Internet / Security Report: Loyalty for Sale –  Retail and Hospitality Fraud report details attacks of all types and sizes, including numerous examples of criminal adverts from the darknet that illustrate how they cash in on the results from successful attacks and the corresponding data theft. 

Between July 2018 and June 2020, Akamai observed more than 100 billion credential stuffing attacks – that is, a cyberattack where credentials are obtained from a data breach on one service and then used to log in to another unrelated service.

In the commerce category (retail, travel and hospitality), there were over 63 billion attacks of this kind recorded. More than 90 per cent of the attacks were targeted to the retail industry.

During the Covid-19 pandemic, particularly Q1 of 2020, criminals circulated password combination lists of each commerce industry featured in the report. During this time, old credential lists were recirculated to identify new vulnerable accounts, leading to a significant uptick in criminal inventory and sales related to loyalty programmes.

Steve Ragan, Akamai security researcher and author of the report, said: “Criminals are not picky – anything that can be accessed can be used in some way.This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”

With the global economy preparing for the holiday shopping season, consumers will be logging in, collecting rewards, and using loyalty programmes to gain discounts or other perks. 

“All businesses need to adapt to external events, whether it’s a pandemic, a competitor, or an active and intelligent attacker,” Ragan added. “Some of the top loyalty programmes targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.”

Other attacks observed over the two years include SQL Injection (where hackers can gain access to the user names and passwords in a database) and Local File Inclusion (where a web application is tricked into exposing or running files). Around. 4.4 billion web attacks of these techniques were launched against the retail, travel and hospitality sectors, accounting for 41 per cent of the overall attack volume across all industries. 

The Akamai 2020 State of the Internet / Security report, Loyalty for Sale – Retail and Hospitality Fraud is available here.

Be in the know.

Subscribe to our newsletter »