United States

Understanding the real costs of a retail data breach

Insights into the sources of breaches in retail and their costs


Download The Report

The retail sector is a significant part of the American economy, contributing $1.2 trillion per year directly to the U.S. gross domestic product. However, the sector is a prime target for cyberattacks due to the large number of transactions in several different forms. With a vast attack surface spanning brick and mortar and e-commerce, and varying levels of controls between retailers, criminals see an opportunity to exploit vulnerabilities.

NetDiligence examines cyber insurance claims to provide further insights into the sources of breaches and their related costs. In its most recent Cyber Claims Study in late 2018, retail was found as the fourth most exploited industry, behind only professional services, health care and financial services. With the importance of the sector and expanding data breach threats, the organization recently took a closer look at the industry with the 2019 Spotlight Retail report.

The report presents several findings specific to cyber insurance claims in the retail industry,1 including:

Sources of losses

  • Hacking (30%), and malware and viruses (27%) were the most common causes of losses in the retail sector, combining 57% of claims over the five years of analyzed data from 2013-17 and 47% in 2017.
  • Third-party legal actions (18% of overall claims; 9% in 2017) and ransomware (7% of overall claims; 19% in 2017) were also top reasons for losses.

Breach costs

  • The average breach cost for cyber claims was $1.3 million in the five-year data period, and $169,000 in 2017.
  • Costs related to malware and viruses led the way, averaging over $2.4 million per event from 2013-17 and over $400,000 in 2017.
  • Hacking accounted for over $1.5 in costs per breach over the five-year span and averaged more than $167,000 in 2017.

Crisis services costs

  • Hacking claims averaged almost $600,000 in crisis services (such as forensics, legal guidance, credit monitoring and notifications) costs from 2013-17 and cost nearly $100,000 per event in 2017.
  • Breaches caused by malware or viruses averaged almost $538,000 for crisis services over the five years of data and over $541,000 in 2017.

Exposed data

  • From 2013-17, 65% of breaches exposed data while 35% did not.
  • Payment Card Industry (PCI) data was compromised most often, comprising 53% of claims
  • Breaches of personally identifiable information (PII) and claims involving critical retail files (events such as ransomware, distributed denial of service, wire or banking fraud or network outage events) each represented 11% of claims.
  • Only 6% of PCI data compromises resulted fines, ranging from $56,000 to $6.9 million, with an average of $1.2 million.

Point-of-sale breaches

  • Approximately 11% of claims from retail companies involved compromised POS devices.
  • These claims averaged $3.4 million in breach costs and $1.25 million in crisis services costs.

E-commerce breaches

  • Approximately 8% of retail claims from 2013-17 involved the compromise of websites and e-commerce systems, and all were due to malware or virus attacks.
  • Retailers reported an average of $148,000 in breach costs and $137,000 in costs related to crisis services.

Retailers face a difficult balancing act between increasing operational efficiency, meeting new customer expectations and mitigating risk. While cybersecurity controls and protections have matured and improved for retail organizations, attack methods are quickly evolving as well. NetDiligence’s 2017 data showed improvement, but it is too early to know whether that is a signal of a true downward trend or only a temporary dip.

Regardless, effective cybersecurity is not optional; it is necessary to protect customer and company data, maintain regulatory compliance and avoid harmful breach costs and possible regulatory sanctions. Retailers must understand where their potential vulnerabilities exist, and how to address them before they become exploited by opportunistic criminals.

1Most of the data breach claims in this study involved smaller retail organizations.

you may also be interested in

6 steps to improve omnichannel cybersecurity

6 steps to improve omnichannel cybersecurity

Learn how retailers can securely increase relationships with customers via omnichannel while also addressing growing cyber risks.

E-Commerce is key to your retail strategy

E-Commerce is key to your retail strategy

Make time for testing and risk assessment to secure and protect enterprise and consumer data across platforms.

Consumer Products Insights

( * = Required fields)


Consumer Products Insights
News, trends and insights for the consumer products industry.

Events and Webcasts

Case Studies