Payment card theft continues to impact retailers

03 May 2017

Two and a half years on, and US retailer Home Depot is still counting the cost of the massive 2014 data breach, one of the largest thefts of payment card details to date.

Last month, Home Depot agreed a USD 27.5 million settlement with financial institutions over the data breach, which saw around 56 million credit card and debit card details stolen, as well as 53 million emails. 

The company had previously agreed a USD 135 million compensation deal with a group of banks and card payment companies, as well as settling data breach class action law suits brought by consumers for a total of USD 19 million. 

No let up

Despite increased awareness of the risk, retailers continue to be vulnerable to cyber attacks. According to Risk Based Security, the retail sector experienced more data breaches in 2016 than any other identifiable sector, including financial, medical and technology sectors. 

Statistics show that breaches worldwide in the retail sector continue to increase year on year, although the past two years have seen lower levels of compromised records compared with 2013 and 2014. 

The theft of payment card details, in particular, remains a persistent threat. In February, US restaurant chain Arby’s became the latest retailer to fall victim to such a data breach. It found malware on its point-of-sale systems that would have allowed an intruder to access data from payment cards. Arby’s has since been hit with a number of lawsuits.

Retail breaches by year worldwide chart

Improving security

Cyber criminals are becoming more sophisticated, but some analysts believe cyber security in the retail sector is wanting. Last year, analysis by US cyber security company UpGuard found weak cyber defences among many leading UK retailer websites. In its 2017 Global State of Information Security Survey, PricewaterhouseCoopers (PwC) noted that, while high-profile mega-data breaches in the retail sector had lessened in the past year, the theft of payment card data remained a problem. 

Many retailers are beefing up their point-of-sale systems, deploying technologies such as malware detection, encryption and tokenisation. According to PwC, almost two-thirds of companies surveyed say they follow secure coding requirements to help ensure proper handling of payment card data. 

However, many have yet to implement chip-based EMV payment card technologies in retail locations – generally considered to be a key cyber defence. 

PwC found that only 20% of respondents have deployed the new card infrastructure at all retail locations, with an additional 40% saying they plan to deploy EMV at all stores within the next six months. 

Even with the latest cyber security prevention techniques in place successful cyber-attacks constantly occur. It is therefore advisable to take out a cyber insurance policy which amongst other things can provide coverage for payment card industry data security standard fines, penalties and assessments.

Home depot data breach text box

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on



Find out more

Read our Cyber Risks & Insurance Insights

Read more

Receive our monthly cyber risk newsletter