A third of of retailers in the UK are not reporting data breaches such as account takeover to the relevant authorities, according to new research from Ravelin.

A report compiled by the fraud detection and payment acceptance specialist drew on the experiences of 1,000 fraud and payments professionals working in large businesses globally.

The report found that FMCG retailers are the least likely to report account takeover attacks, with only 55 per cent saying they had done so in the past year despite having an average of 2.8 attacks per month.

Compliance with strict GDPR rules was also low amongst businesses including grocery retailers, who suffered an average of 53 account takeover attacks in 2020, yet 28 per cent did not report any breaches whatsoever to the authorities.

Account takeover is a fast-growing threat to retailers, Ravelin found, with nearly three quarters (72 per cent) finding that they’ve experienced a rise in attacks in the past 12 months, driven by the growth of e-commerce during the pandemic.

Account takeover occurs when a customer’s login details to their online account with a retailer fall into the hands of a fraudster who then uses a customer’s account to make fraudulent purchases

Mairtin O’Riada, co-founder and chief information officer (CIO) at Ravelin said: “Many retailers seem to have misunderstood their obligations to report account takeover attacks under GDPR. Even a small account takeover attack is a data breach, and retailers must report them to the relevant authorities, or they could be fined.

“But to report these kinds of attacks, you’ve first got to know if they’re happening to you. Monitoring customer logins and new devices are a good first-defence against account takeover, but only 56 per cent are monitoring logins and 47 per cent are tracking customers using new devices. These stats need to change.”

Share Story: