Cyberattacks knock out Etsy, Shopify, others as e-commerce security fears mount

Dive Brief:

Etsy, Shopify, Twitter, PayPal, Pinterest and others experienced lengthy outages Friday due to what is now believed to have been three waves of cybersecurity attacks.
The outages occurred when web domain company Dyn was hit with distributed denial of service attacks that made its customers' sites crash. DDOS attacks use Internet addresses associated with devices already infected with malicious code to generate huge amounts of traffic to overwhelm targeted sites.
The Associated Press reports that hacker group New World Hackers claimed responsibility for the attacks, which unloaded 1.2 trillion bits of data traffic on Dyn's servers, although AP was unable to confirm the hackers' claim.

Dive Insight:

The potential total lost sales for retail sector companies affected by this attack have not been quantified, and may be difficult to estimate, but it's certain that some sales were lost, and online eyeball traffic for store sites harshly limited. AdWeek notes that one Etsy-based seller reported receiving only two orders last Friday instead of her typical 35.

Regardless of who was responsible for the onslaught, the attackers used malicious software code known as Mirai, which was let loose on the Internet in recent months. That means we are very likely to see more attacks along the same lines, possibly from a variety of perpetrators, and with a variety of different targets. It is essentially the vivid realization of fears about e-commerce sites becoming prey for increasingly frequent, large and complex cyberattacks.

Also, although retailers apparently were not specifically targeted in this case, these attacks will serve to heighten sector fears about similar attacks that could target retail sites to either shut them off — or worse, tap them to steal customer payment data, at a time when the holiday shopping season is about to begin, and Black Friday is just weeks away.

If there is anything positive to come out of this series of attacks, it's that awareness of security vulnerabilities and investment in protection strategies should both increase imminently. While the largest retailers have the most to protect, they also have the resources and minds to help them do it. Smaller retailers are in a completely different boat — most don't have the staffs, strategies or money to keep up with evolving threats or protect themselves properly. Many small e-commerce retailers rely on their platform partners to protect them, and at least one of them — Shopify — was one of the big names whose site was crippled by this series of attacks.

It's time for retail to make cybersecurity a No. 1 priority. It will no doubt seem difficult to people in retail organizations to make that happen with so many other revenue-generating technology priorities on their minds. Retailers may also look at these attacks and say that no one was after them in particular, just making a political statement. But there needs to be an understanding that these attacks could have been much worse, that much worse attacks are still to come, and next time, retailers may be the real target.