Get ready for the high-risk Xmas holiday shopping season

COMMENTARY: The holiday shopping season features a lot of chaos: rushed decisions, urgent sales, and last-minute gift hunting. While shoppers focus on snagging the best deals or finding this year’s must-have gift, attackers focus on something else: exploiting that chaos. And they’re getting better at it every year.

Black Friday marks the start of a prime hunting season for attackers. Retailers race to meet surging demand and avoid costly website downtime, while shoppers — stressed and eager — are primed to act fast. This combination creates the perfect conditions for ransomware attacks, payment fraud, and data breaches targeting personal identifiable information (PII). Both retailers and their customers are at risk — and the stakes are higher than ever.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

This week’s Black Friday and the following Cyber Monday kick off a global shopping frenzy, even in regions that don’t celebrate American Thanksgiving. With this in mind, we analyzed ecommerce systems across the UK, Europe, and beyond from November 2023 to October 2024 to uncover vulnerabilities attackers might exploit this season.

Our analysis focused on ecommerce assets such as web applications and interfaces, identifying them through machine learning and natural language processing. These systems — often handling payment details, cart functions, or customer checkouts — are critical to operations, but also represent a goldmine for attackers.

The findings are stark: 53% of ecommerce assets collect user PII. Although slightly improved from 58% last year, this still makes them highly attractive to attackers seeking to harvest sensitive data, steal payment details, or damage a brand’s reputation. Storing PII without sufficient protections only amplifies the risk.

Neglected protections, amplified risks

Our 2024 State of External Exposure Management Report revealed concerning trends in basic security practices across ecommerce systems. HTTPS, a fundamental layer of encryption, has seen a troubling decline in adoption. While the vast majority of ecommerce sites still use HTTPS, 3% of web apps are missing it — a 50% increase compared to last year. The problem was worse in Europe, where nearly 5% of ecommerce assets lack this fundamental protection.

Web application firewalls (WAFs) present an even more alarming picture. WAFs, designed to protect against malicious web traffic, are missing from more than 40% of ecommerce assets — a significant increase from 28% last year. This gap is especially dangerous for assets collecting PII. Among these high-value targets, 35% lack a WAF, up from 24% in 2023. In the UK and Europe, the numbers are even worse, with 43% and 40% of PII-collecting assets, respectively, missing this critical safeguard.

The cost of inaction

While some issues, like certificate validity problems, have improved overall (dropping from 13% last year to 6% this year), the UK saw a troubling increase, with 14% of ecommerce assets affected. Europe also lags behind with 11% of assets experiencing certificate issues. For retailers, these lapses can shatter consumer trust. Shoppers encountering expired or invalid certificates are likely to abandon their purchase altogether, costing retailers sales on high-stakes shopping days like Cyber Monday.

But the fallout doesn’t stop there. Non-compliance with data protection regulations, such as GDPR in Europe or CCPA in the U.S., can lead to significant fines, reputational damage, and long-term customer attrition.

Why retailers need to act

Retailers need to act now. Attackers count on businesses being unprepared for the high-risk holiday season. Strengthening basic protections, like ensuring HTTPS adoption and implementing WAFs, functions as the bare minimum.

Today, it’s become critical to prioritize the security of ecommerce assets that handle PII, not just for compliance, but for preserving customer trust during the most important shopping season of the year. This year’s numbers are a wake-up call. Don’t let the organization’s ecommerce system become a holiday gift for attackers.

Emma Zaballos, senior researcher, CyCognito

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.