Aldi proved to have one of the safest websites during UpGuard's security tests
Aldi proved to have one of the safest websites during UpGuard's security tests © FT montage

Nicholas Megaw, Murad Ahmed and Mark Vandevelde

Jump to comments section

Retailers know how devastating a cyber attack can be: only two years ago, on the other side of the Atlantic, the chief executive of Target resigned after hackers stole the personal information of 70m customers.

Last year, according to the British Retail Consortium, fraud and cyber crime against retailers rose 55 per cent. “The majority of retailers were victims of some form of cyber attack in 2014/15,” the BRC said.

With more and more shoppers moving online, having a safe website is vitally important.

Two-thirds of companies told the BRC that they felt their defences were in “good to excellent” shape. Retailers have invested millions in online defences and cyber experts.

But according to UpGuard, a Silicon Valley company that has developed some of the most advanced technology to assess whether websites are safe, many British retailers need to pay “serious attention”.

The Financial Times asked UpGuard to assess the risks of using UK websites and the cyber security group responded by saying that customers should be on guard when passing “sensitive information” to many of the sites.

UpGuard is used by thousands of companies, including major groups like Cisco, the US networking company, Allianz, the insurer, and e*trade, the online broker, to detect online risks. It has partnerships with both Microsoft and Amazon.

Retailers responded by criticising UpGuard’s methodology, with many of them stressing that its scans did not fully take account of the internal security in place.

One of the key areas of dispute was the assessment that UK retailers do a poor job in encrypting all parts of a website. Many companies argue this was an unfair yardstick, saying they instead focus their security efforts on protecting core parts of their online systems, such as customer databases and payments pages.

But others in the security and technology industries have said much more needs to be done.

Earlier this year, Google security expert Parisa Tabriz said websites that use any unencrypted pages were “unsafe”. Companies including Twitter and Dropbox have supported a campaign to put “strict encryption measures on all network traffic”.

Greg Pollock, the vice-president of product at UpGuard defended its tests, saying that encrypting payment areas “does not absolve” companies from protecting the rest of their sites.

He said unless encryption were rolled out across a website, it can leave users vulnerable to strategies such as “DNS spoofing” or “cache poisoning” — strategies where users can be redirected to fake pages that appear to be legitimate, but can gather users’ details or spread computer viruses.

“It is true that external scanning only represents part of the information relevant to a site’s risk of breach,” said Mr Pollock. “But that is all consumers have to work from to determine a company’s digital security. Given such a short list of checks, you would expect companies to look better rather than worse.”

UpGuard also said it assessed companies to check whether they employed “email authenticity to prevent fraudulent messages”. This could help avoid online criminals impersonating company employees in order to defraud customers.

George Quigley, a partner at KPMG who specialises in cyber security, said retailers faced a complex environment, where they faced everything from “basic smash-and-grab credit card scamming through to very sophisticated attacks”.

He added that because customers tended to reuse the same password on several websites, even companies that invested in robust security could find that they were only as safe as their weakest rival.

But Mr Quigley said many retailers were investing in hardening their systems, setting up network security centres to watch for attacks around the clock. They were also devising algorithms that could tell whether, for example, a sudden surge of traffic was the result of a popular price promotion or a break-in attempt.

————————————————

The methodology UpGuard says it makes a “cyber audit” that uses publicly available information to assess a business. It looks at various factors. This includes the past breach history of a company. It tests whether a company employs “email authenticity to prevent fraudulent messages” being sent, by checking online records that help to reveal how well a company protects its communications. It also tests a company’s “attack surface” — the various points where a hacker may attempt to break into a site. The company looks to see if the company has up-to-date security certificates and whether the company employs encryption throughout its website.

Through doing this “external scan” of a site, it determines a score — like a credit rating — on scale between 0 and 950.

————————————————

The UpGuard analysis did show some companies satisfying many of its tests. The best score was obtained by Aldi UK, which scored 846.

Other sites to score above 700 — a result that UpGuard said showed that a company took “website security seriously” and “has implemented most or all of the top controls” — were Amazon.co.uk and VM Morrison.

In separate research conducted for the FT, BitSight, a US company that measures how vulnerable companies are to cyber attacks, analysed whether UK top retailers had online security certificates, such as those required to ensure secure transactions, have been kept up-to-date.

Without these certificates, consumers are vulnerable to hacking strategies such as a “man in the middle attacks”, where a third party is able to access information such as credit card details during an exchange of information.

Of 19 British retailers surveyed, BitSight found that 68 per cent were considered “good”, meaning that most had security certificates in place. The UK fared better than the average of all global retailers of 43.7 per cent. However, only 26.3 per cent of the UK retailers had no certificate errors at all.

“Compared to all other industries, retail in the UK is doing better than most,” said Jay Jacobs, senior data scientist at BitSight. “But that doesn’t mean it is good. The other way to look at this is that 32 per cent had an error or flaw.

Retail responses

Next: The UpGuard survey is an external-only ‘desk’ review of Next’s security systems. It therefore cannot and does not reflect the company’s internal security arrangements.

Tesco: This test has not assessed the part of our website where customers log in and is not a fair reflection of how our customers’ data and our business is protected from cyber attacks.

Primark: Primark does not process purchases online and holds only limited customer data essential to supporting our customers. We are confident that Primark’s websites are as secure as any site against cyber attacks because of the regular security tests we perform.

Lidl: We do not operate online shopping, the minimal customer data that we have for our registered newsletter subscribers is kept in a separate secure system and we remain vigilant in protecting that information for our customers.

New Look: Keeping our customers’ data safe and secure is of paramount importance and we’re confident in our IT infrastructure and the security processes we have in place.

Waitrose: We take the security of our website very seriously and this is a constant focus for our business.

H&M: We work proactively to secure our environments against external threats at any time.

Aldi: Providing our customers with the confidence and security to shop at Aldi.co.uk was key to the successful launch of our online shopping service earlier this year.

British Retail Consortium, responding on behalf of Marks and Spencer, Sainsbury's, Asda and its clothing subsidiary George: Maintaining the trust and confidence of their customers is of paramount importance to all retailers and for this reason they have made considerable investments of time and resources to make sure they have the right tools and expertise to ensure their websites are properly protected.

Matalan: invests heavily in ensuring its customers’ data are safe from both external and internal cyber attacks. Our web site, back end systems and networks are constantly monitored both internally and by third party experts and assessors to ensure that our measures are fully compliant with industry leading standards.

Top Shop, Debenhams, WM Morrison, Spar and Amazon UK declined to comment.
Copyright The Financial Times Limited 2024. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Follow the topics in this article

Comments