Grocery Stores – A Hidden Gem for Cyber Criminals?

Nicholas Foisy
Mar 25, 2020 11:00:00 AM

Following the recent closures of many public-facing businesses in the United States (and across the globe) in response to the spread of Coronavirus (COVID-19), this week’s blog post will discuss some of the cybersecurity challenges and vulnerabilities facing one of the only industries still opening its doors to customers: grocery stores. I am in a unique position to write this article; though I now serve as the Marketing Manager for Compass IT Compliance, I previously worked seven years in a grocery store, holding six different job positions during that duration. This has provided me with unique insight into both industries and where they intersect.

When you think of businesses with cybersecurity concerns, chances are grocery stores don’t often come to mind. The business model seems somewhat straightforward, with most employees conducting manual labor that doesn’t involve computers or networks. However, grocery stores have their own unique cybersecurity concerns just like any other organization, and the risks to finances and reputation are just as high as other industries!

PCI-DSS Compliance

The most well-known grocery store cyber incidents involve customers’ payment information. We’ve seen the headlines in the news; credit and debit card data exposed by breaches at Hannaford Bros. and Sweetbay (2008), Target (2013), SuperValu and Albertsons (2014), Hy-Vee (2019), and so on. It’s for these very reasons that the Payment Card Industry Data Security Standard (PCI-DSS) exists. The PCI-DSS contains a set of requirements designed to increase the security of credit card transactions and minimize the impact of fraud and data breaches. Any retail merchant, such as grocery stores that process, store, or transmit credit card data are required to be PCI compliant. This is one of the areas of focus for us here at Compass IT Compliance. Our Qualified Security Assessors (QSAs) conduct PCI Risk Assessments and Reports on Compliance (ROC) for clients across all industries, including grocery stores. Going through the continual, annual process of achieving and maintaining PCI compliance is intended to mitigate the risks of breaches such as those mentioned. For grocery stores across the United States, PCI compliance should be a highly prioritized area of focus to protect your customer’s payment card information and your organization’s reputation.

Vulnerabilities and Stability of Online Ordering Services

Over the past few years, grocery stores across the nation have begun rolling out online ordering and curbside pickup programs. The added convenience and speed of checkout for customers is a big selling point, but these programs are now seeing a massive influx of orders as a result of the spread of Coronavirus (COVID-19). As people heed the warnings of health organizations and state and local governments issue “stay at home” edicts, consumers are taking advantage of online ordering to avoid unnecessary contact with others. At first glance this service appears to be benefitting from the current situation with increased orders and the added benefit of making social distancing a little easier. This is a win for the store in the high volume of orders, and a win for the consumer in lowering their risks of contracting the virus. However, these systems are young and have likely never been put to a real-world test this big. Keeping the system online and preventing any system crashes is a huge priority. Organizations must look at bandwidth capabilities and vulnerabilities that may arise in the wake of the increased traffic flow. This might seem like an attractive time for an attacker to attempt a distributed denial-of-service (DDoS) attack on top of all the legitimate high-volume traffic. A DDoS attack attempts to flood the targeted resource (in this case, the online ordering system) with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. Not only can an attacker disrupt the flow of business with a DDoS attack, but they may also ask the target to pay a ransom fee in order to stop the attack. The current Coronavirus situation will allow many grocery stores to put their online ordering system to the ultimate test!

Security Awareness Training for Staff

During my grocery store days, staff members would periodically be called upstairs by the manager. Though it often instilled a brief sense of fear and got us thinking about what we might’ve done wrong, it was usually just to complete mandatory security awareness training on the computer. The courses covered fraud, money laundering, phishing, vishing, and other scams that might put the store and the customer at risk. These courses were administered on an annual basis and required a passing quiz score to be marked as complete. All staff that had any access to computers or registers were required to complete the courses. Back then I viewed it as a waste of time but looking back now and utilizing my newly obtained cybersecurity knowledge learned through my role at Compass IT Compliance, these courses made a big difference. Security awareness posters in employee-only areas can also be helpful. There were half a dozen posters on the stairway leading from the registers to the breakroom, and I must’ve read those posters thousands of times as I made my way to and from the breakroom. I had them memorized! Employees are the frontline defenses against all levels of scams within grocery stores. Educate staff often so they will be prepared to recognize threats when they arise.

Network-Connected Devices

As technologies within grocery stores continue to evolve, more stores are utilizing network-connected devices to simplify various processes. This may include refrigeration thermometers, lighting, alarm systems, etc. While connecting these devices to a network might make life easier for management, if not configured with security in mind, it can introduce new vulnerabilities that may not have existed previously. In 2019 a Netherlands man was arrested after hacking into a supermarket refrigeration system using an insecure password and changing the temperature settings of the refrigeration system to damage the food inside. If a grocery store’s network was to be breached, say by an employee falling for a phishing email, and that network was also on the same segment as these devices, a hacker could potentially disrupt the operations of the store and damage products.

Onsite Social Engineering Access

Social engineering is one of the more interesting topics to read about in the information security realm. For those who are unfamiliar with the term, social engineering is the psychological manipulation of people, attempting to persuade them to divulge or grant access to confidential information. This includes phishing (via email), vishing (via telephone), smishing (via text message), and in person social engineering. We already touched upon phishing and vishing. In person social engineering involves attempting to gain access to secure areas in an organization, typically while impersonating the staff of that organization or a third-party vendor (e.g. refrigeration or computer repair). This poses a unique risk for grocery stores. Access security to employee-only areas within grocery stores is often very light. In my seven years of working in a grocery store, I can think of dozens of times where access to non-public information could be possible by simply opening an unlocked door and taking a peek at papers on a desk or in a file cabinet, or by hopping on a computer that was left signed on. Furthermore, because larger stores such as the one I worked in often have several departments, dozens of staff working various shifts, and high turnover rates, there are many times that you may see somebody in a store uniform that you do not recognize. If a malicious actor were to get their hands on a uniform, they could likely access any employee-only areas without ever being questioned. If the store does have security, which isn’t always the case, they are often watching for customer theft and may not think much of a new face in a store uniform walking around a back room. These security staff are also sometimes rotated among stores, furthering their lack of familiarity with employee names and faces. Compass IT Compliance conducts Social Engineering Assessments for organizations, where analysts attempt to carry out a simulated social engineering attack to expose potential weaknesses to these attacks. Grocery stores are a hidden gem for criminals looking to carry out such an attack, and stores need to take a closer look at what information can be accessed by entering employee only areas.

Though it might not be one of the first industries that comes to mind when considering those with cybersecurity concerns, grocery stores have numerous risks and vulnerabilities that must be constantly addressed. They process and maintain the private information of millions of customers and employees and are a prime target for cybercriminals. Compass IT Compliance has extensive experience working with grocery stores across the country to address IT security, compliance, and risk concerns. Contact us today to learn more and discuss your unique situation!

You May Also Like

These Stories on PCI Compliance

Subscribe by Email

No Comments Yet

Let us know what you think