Credentials are the new credit cards in retail cyberattacks

The digital storefront has become a prime target for cybercriminals, and a new report from KnowBe4 paints a stark picture of the evolving threats facing the global retail sector. The “Global Retail Report 2025” unveils a critical shift in attacker focus, with stolen credentials now eclipsing payment card data as the most sought-after prize. This pivot demands a fundamental reassessment of cybersecurity strategies within the industry, particularly for the fintech and financial services partners that underpin its operations.

For years, the retail sector has been a treasure trove of sensitive data, with over 62% of purchases globally made using credit or debit cards. This reliance on digital payments entrusts retailers with a wealth of Personally Identifiable Information (PII), from names and addresses to purchasing history. As AI-powered tools lower the barrier to entry for cybercriminals, the sector faces an unprecedented surge in attacks.

The alarming rise in cyberattacks

Multiple reputable studies corroborate this escalating threat:

• The 2024 Verizon Data Breach Investigations Report (DBIR) recorded a staggering 725 incidents in the retail sector in the year leading up to October 2023, with 369 resulting in confirmed data disclosure. This represents a dramatic 56% increase compared to the previous year.
• IBM X-Force’s 2024 report placed the retail and wholesale sector among the top five most attacked globally, accounting for 10.7% of all incidents in 2023, a 25% rise year-over-year.
• CrowdStrike’s 2024 Threat Hunting Report further reinforces this trend, identifying retail within the top five targeted sectors, with attack frequency surging by 55% year-over-year when factoring in the first two quarters of 2024.

This surge in attacks is accompanied by a significant increase in financial repercussions. The IBM Cost of a Data Breach Report 2024 pegs the average cost of a retail data breach at $3.48 million, an 18% jump from the previous year. This figure doesn’t even fully account for the “hidden” costs such as lost business, reputational damage, and post-breach remediation efforts, which saw an 11% increase.

Real-world consequences

The impact of these breaches can be devastating and long-lasting:

• Home Depot (2014): A third-party vendor hack led to the theft of 53 million customer records, ultimately costing the company over $215 million in settlements and related expenses.
• Target (2013): A spear-phishing attack on a vendor resulted in the compromise of 41 million payment card details and 70 million contact records, costing Target a staggering $290 million.³
• JD Sports (2023): A server breach exposed the online order information of approximately 10 million customers, including payment card details, which were subsequently used in social engineering attacks.
• Co-op Group (Sweden, 2024): A ransomware attack crippled POS systems across 800 stores, causing significant financial losses and disrupting supply chains.

The geographical hotspots

The KnowBe4 report highlights significant regional variations in attack prevalence:

• North America experienced the highest percentage of attacks at 56%.
• Latin America followed with 32%.
• Europe accounted for 11% of attacks.

Furthermore, data from Cyberint indicates that while the U.S. retail sector represents 28% of the global market share, it accounted for a disproportionate 45% of ransomware attacks in the past year, marking a 9% increase in its share of the attack horizon.

Why credentials now reign supreme

The KnowBe4 report pinpoints a crucial change in cybercriminal tactics. In 2023, credential harvesting accounted for 38% of all compromised data, surpassing the 25% attributed to payment card details.⁷ This strategic shift can be attributed to several factors:

• Enhanced Card Security: Banks have implemented more robust controls on card usage, potentially making direct card theft less lucrative.
• Bypassing Authentication: Stolen credentials, including login details and browser session cookies, allow attackers to bypass traditional security measures like passwords and even two-factor authentication (2FA), granting direct access to sensitive accounts and systems.

Entry points for cybercriminals

Several vulnerabilities make the retail sector an attractive target:

• Seasonal Events: Peak shopping periods like holidays and back-to-school sales lead to increased online traffic, digital transactions, and a surge in seasonal employees with limited cybersecurity awareness, creating a “perfect storm” of risk.
• Third-Party Dependencies: Retailers rely on a complex web of vendors for payment processing, logistics, and other services. As seen in the Snowflake breach, a compromise at any point in this supply chain can have cascading effects, granting attackers access through stolen vendor credentials. The AT&T breach, which originated from a spear-phishing attack on a supplier, resulting in the theft of over 100 million customer records, serves as a stark reminder of this risk.
• Multichannel Operations: The diverse digital footprint of modern retailers, encompassing e-commerce sites, mobile apps, and POS systems, expands the attack surface, with vulnerabilities in one area potentially compromising the entire network.
• Franchise Vulnerabilities: Inconsistent security practices across franchise locations due to varying resources and knowledge can create weak points that attackers can exploit, damaging the overall brand reputation.

Phishing as the primary gateway

Social engineering, particularly phishing, remains the cornerstone of most successful intrusions. Reports indicate that phishing is involved in an overwhelming majority (80-95%) of cyberattacks. The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) also confirms that phishing and credential harvesting are the primary attack vectors in the retail sector.

Investing in human risk management

The KnowBe4 report offers a beacon of hope: security awareness training demonstrably reduces human risk. Their internal benchmarking reveals that:

• The initial Phish-prone Percentage™ (PPP) in the retail and wholesale sector ranged from 30.7% to 42.4%, depending on company size.
• After just 90 days of integrated training and simulated phishing tests, PPPs saw significant reductions, dropping to as low as 18.3% for large organizations.
• Crucially, after one year or more of sustained training, the average PPP plummeted to a mere 4.5% – 5.2% across all retail company sizes.

Implications for fintech and financial services:

The findings of this report carry significant weight for the fintech and financial services industries. As enablers and partners of the retail sector, they are intrinsically linked to its cybersecurity posture. The rise of credential theft in retail directly impacts the security of financial transactions and customer data. Financial institutions must:

• Recognize the Evolving Threat: Understand that compromised retail credentials can be a gateway to financial fraud and account takeover.
• Strengthen Authentication: Implement and promote robust multi-factor authentication (MFA) for both retail partners and end-users.
• Enhance Monitoring: Increase vigilance for suspicious activity originating from the retail ecosystem.
• Foster Collaboration: Engage in greater information sharing and collaborative efforts with the retail sector to combat these evolving threats.

This report serves as a critical wake-up call. The retail sector is facing a dynamic and increasingly sophisticated cyber threat landscape where stolen credentials have become the new crown jewels for cybercriminals. Addressing this challenge requires a multi-faceted approach, with a strong emphasis on educating and empowering employees to be the first line of defense. For fintech and financial services, understanding and responding to this shift is paramount in safeguarding the integrity of the financial ecosystem and maintaining the trust of consumers. The time to act is now, to secure the digital storefront and protect the sensitive data that flows through it.