What: Microsoft identifies active exploitation of SharePoint's ToolShell zero-day vulnerability, enabling unauthenticated attackers to gain full remote control of retail servers and extract cryptographic secrets.

Why it is important: The timing of this threat is especially significant as retailers struggle with mounting cyber insurance costs and recovery from recent high-profile breaches, potentially creating a perfect storm for the industry.

Microsoft has uncovered widespread exploitation of a critical SharePoint vulnerability chain known as ToolShell (CVE-2025-53770), which enables unauthenticated attackers to compromise on-premises servers. The vulnerability, demonstrated publicly on social media, allows attackers to bypass authentication through a specific HTTP Referrer header manipulation during POST requests. Once access is gained, attackers can extract the SharePoint server's MachineKey configuration, including the crucial ValidationKey, which can then be used to craft valid payloads for arbitrary command execution without administrative credentials. This zero-day exploit poses a particular threat to retail and hospitality sectors, where SharePoint is extensively used for internal collaboration, document management, and customer-facing portals. The potential for complete compromise of critical internal data, intellectual property theft, and operational workflow disruption has prompted Microsoft and CISA to issue urgent warnings, with patches now available for affected versions.

IADS Notes: The emergence of the ToolShell SharePoint vulnerability in July 2025 represents a critical escalation in retail cybersecurity threats, following a year of unprecedented incidents. In April 2025, M&S's GBP 700 million market value loss from a cyber attack demonstrated how digital vulnerabilities can severely impact retail operations. The incident's connection to third-party suppliers mirrors the current SharePoint exploit's potential to compromise entire retail networks through a single entry point. This risk is particularly concerning given that March 2025 saw a single security update failure cause GBP 5.4 billion in losses across Fortune 500 companies. The retail sector's vulnerability to such threats has already driven a 10% increase in cyber insurance premiums by May 2025, while industry data from April 2025 shows ransomware accounting for 30% of retail security incidents. With 41% of breaches now occurring through third-party providers, this unauthenticated SharePoint exploit presents an unprecedented risk to retail organizations' operational integrity and data security.

RH-ISAC: Microsoft warns of active exploitation of SharePoint via ToolShell zero-day

What: Global CISO survey reveals critical security gaps in retail sector, with 82% of companies lacking strong digital core security maturity while facing increased ransomware and supply chain threats.

Why it is important: As recent attacks on major retailers demonstrate, the findings highlight an urgent need to strengthen cybersecurity foundations, with ransomware and supply chain vulnerabilities now directly impacting market valuations and customer trust.

The 2025 CISO Benchmark Report reveals significant vulnerabilities in retail cybersecurity infrastructure, with only 18% of companies achieving frontrunner status in digital core security maturity. The survey of 171 CISOs identifies ransomware (70%) and supply chain attacks (58%) as the primary security risks, while budget constraints (71%) and competing IT priorities (69%) emerge as major challenges. Business continuity has become the top cybersecurity priority, rising four places from 2024, reflecting the sector's growing focus on operational resilience. The report highlights a significant shift in security workforce composition, with contractors comprising 52% of InfoSec teams, rising to 60% among frontrunners. Despite these challenges, the sector shows promising developments in NIST Framework adoption, with scores rising 25% since 2024 and frontrunners outperforming peers by 12%. The findings emphasise the critical need for retailers to secure their digital core while balancing rapid technological advancement with robust security measures.

IADS Notes: The 2025 CISO Benchmark Report's findings are starkly validated by recent events in the retail sector. The report's emphasis on ransomware as the top security risk (70% of respondents) was demonstrated by the devastating Marks & Spencer attack in April 2025, which wiped £700 million off their market value. The importance of supply chain security, cited by 58% of respondents, was highlighted when both Harrods and Co-op suffered breaches through third-party vulnerabilities in May 2025, with Co-op's incident affecting up to 20 million customers. The report's revelation that 82% of companies lack strong security maturity aligns with the March 2025 Crowdstrike incident, where a single security update failure resulted in £5.4 billion in losses across Fortune 500 companies. These incidents have transformed the cyber insurance landscape, driving a 10% increase in premiums across the UK retail sector, while demonstrating the report's key finding that business continuity has become the top cybersecurity priority.

RH-ISAC: 2025 CISO Benchmark Report

What: Cybercriminals target Sainsbury's loyalty programme members through unauthorised access and point redemption scheme.

Why it is important: This incident reveals a critical security challenge for retailers as loyalty programmes evolve from simple point-collection systems to valuable digital assets requiring sophisticated protection measures.

Sainsbury's Nectar loyalty programme members are experiencing a significant surge in points theft, with one customer reporting the loss of two years' worth of accumulated points. This follows an earlier investigation that uncovered  GBP 63,000 worth of stolen Nectar points over a one-year period, prompting the implementation of a "lock" feature for all accounts. The primary attack method involves unauthorised access and rapid redemption of points at unfamiliar locations, suggesting the use of credential stuffing, phishing, or security vulnerability exploitation. While Nectar maintains that only a small proportion of accounts are affected and highlights protective measures like the "Spend Lock" feature, the recurring incidents indicate an ongoing targeted campaign against one of Europe's largest loyalty programmes. Security experts are particularly concerned about the timing of these attacks during peak accumulation periods like Christmas.

IADS Notes: The Sainsbury's Nectar points theft incident in June 2025 aligns with a broader pattern of sophisticated cyber attacks targeting retail loyalty programs. This follows May 2025's revelation of a complex cybercrime supply chain specifically targeting retail loyalty programmes, where criminals sell stolen credentials for as little as GBP 5. The timing is particularly significant as it coincides with industry data showing ransomware accounting for 30% of retail security incidents, with average losses reaching GBP 1.4 million per attack. The vulnerability of loyalty programs has become increasingly critical as retailers expand their digital engagement strategies, while the Co-op's recent cyber attack affecting 20 million customers demonstrates the scale of potential breaches in major retail loyalty systems.

RH-ISAC: Sainsbury’s rewards programme targeted by malicious actor for monetary gain

What: Account takeover attacks have evolved into a sophisticated cybercrime supply chain targeting retail loyalty programmes and e-commerce platforms, with criminals selling stolen credentials and session cookies for £5-20.

Why it is important: The emergence of this organized criminal marketplace directly threatens the digital transformation efforts of retailers, with recent incidents showing how stolen credentials can lead to millions in losses through loyalty point theft, fraudulent transactions, and damaged customer trust.

The cybercrime ecosystem has evolved into a sophisticated supply chain that systematically targets retail and hospitality businesses through account takeover (ATO) attacks. With an alarming 28% annual growth in exposed credentials, this underground economy operates through a well-structured network of initial access brokers, who sell stolen information and active session cookies for as little as £5. The threat is particularly acute for retail loyalty programmes, which often lack robust multi-factor authentication while containing valuable, cash-equivalent points. E-commerce platforms face similar vulnerabilities, as stored payment methods and customer preferences become lucrative targets for fraudsters. The impact extends beyond immediate financial losses, affecting customer trust and operational stability. Particularly concerning is the criminals' ability to bypass traditional security measures through session hijacking, where stolen cookies enable unauthorized access without triggering standard security alerts. To combat these threats, retailers must implement a layered defence strategy, including shorter cookie durations, proactive session monitoring, and adaptive authentication measures for high-risk accounts.

IADS Notes: The article's warnings about account takeover (ATO) threats are starkly validated by recent cyber incidents across the retail sector. In April 2025, Marks & Spencer fell victim to the Scattered Spider hacking group, resulting in a £700 million market value loss and highlighting how sophisticated cybercrime networks can paralyse major retailers. This was followed by attacks on Harrods and Co-op in May 2025, with the latter exposing data of 20 million customers, demonstrating the scale of potential breaches. The financial impact has been severe, with industry data from April 2025 showing ransomware accounting for 30% of retail security incidents and average losses reaching £1.4 million per attack. The ripple effect has transformed the cyber insurance landscape, driving a 10% increase in premiums across the UK retail sector. These incidents underscore the article's emphasis on the cybercrime supply chain, as demonstrated by the December 2024 Blue Yonder ransomware attack that affected over 3,000 retailers worldwide, showing how criminals can exploit interconnected retail systems for maximum impact.

Stolen logins, lost trust: The hidden supply chain behind account takeovers in retail & hospitality

What: A comprehensive analysis of cyber threats in retail reveals critical vulnerabilities across ransomware, phishing, and supply chain security, with third-party breaches accounting for 41% of reported incidents and average losses reaching USD 1.4 million per ransomware attack.

Why it is important: As retail operations become increasingly digitised and interconnected, understanding and addressing these cybersecurity vulnerabilities is crucial for protecting both business operations and customer trust in an industry that relies heavily on seamless digital transactions.

The retail and hospitality industries face an intensifying array of cyber threats, with ransomware accounting for 30% of all reported incidents in 2024. These attacks have led to average operational downtimes of 72 hours and recovery costs reaching USD 1.4 million per incident. Phishing campaigns targeting customer data have increased by 22% year-over-year, while third-party supply chain breaches represent 41% of reported incidents. The impact extends to cryptocurrency fraud, with businesses reporting USD 450,000 in losses per incident. ReliaQuest's report emphasises the need for a defense-in-depth strategy, highlighting how intelligence-driven solutions and automation can significantly improve threat detection and response times. The findings underscore the critical importance of industry collaboration through organisations like RH-ISAC, particularly as cyber threats continue to evolve and target the sector's growing digital infrastructure.

IADS Notes: Recent cyber incidents underscore the report's findings about retail sector vulnerabilities. In March 2025, a single security update failure caused USD 5.4 billion in losses, while December 2024 saw a ransomware attack disrupting over 3,000 retailers' operations. The sophistication of threats is evident in January 2025 data showing 90% of successful cyberattacks begin with phishing, and the discovery of advanced card skimming malware targeting payment systems. El Corte Inglés's recent data breach through an external provider further demonstrates the critical importance of comprehensive security protocols and rapid incident response capabilities.

Uncovering critical cyber threats to retail and hospitality

What: A comprehensive analysis of cyber threats in retail reveals critical vulnerabilities across ransomware, phishing, and supply chain security, with third-party breaches accounting for 41% of reported incidents and average losses reaching USD 1.4 million per ransomware attack.

Why it is important: As retail operations become increasingly digitised and interconnected, understanding and addressing these cybersecurity vulnerabilities is crucial for protecting both business operations and customer trust in an industry that relies heavily on seamless digital transactions.

The retail and hospitality industries face an intensifying array of cyber threats, with ransomware accounting for 30% of all reported incidents in 2024. These attacks have led to average operational downtimes of 72 hours and recovery costs reaching USD 1.4 million per incident. Phishing campaigns targeting customer data have increased by 22% year-over-year, while third-party supply chain breaches represent 41% of reported incidents. The impact extends to cryptocurrency fraud, with businesses reporting USD 450,000 in losses per incident. ReliaQuest's report emphasises the need for a defense-in-depth strategy, highlighting how intelligence-driven solutions and automation can significantly improve threat detection and response times. The findings underscore the critical importance of industry collaboration through organisations like RH-ISAC, particularly as cyber threats continue to evolve and target the sector's growing digital infrastructure.

IADS Notes: Recent cyber incidents underscore the report's findings about retail sector vulnerabilities. In March 2025, a single security update failure caused USD 5.4 billion in losses, while December 2024 saw a ransomware attack disrupting over 3,000 retailers' operations. The sophistication of threats is evident in January 2025 data showing 90% of successful cyberattacks begin with phishing, and the discovery of advanced card skimming malware targeting payment systems. El Corte Inglés's recent data breach through an external provider further demonstrates the critical importance of comprehensive security protocols and rapid incident response capabilities.

KasadaIQ Insights: Refund Fraud

What: Security researchers have identified a new malware variant that compromises WordPress e-commerce sites through database manipulation, capturing credit card data during checkout while circumventing standard security protocols.

Why it is important: The emergence of this sophisticated malware highlights a critical vulnerability in retail payment infrastructure at a time when digital transactions represent 70% of global sales, threatening both merchant operations and customer trust.

A sophisticated credit card skimming malware, designated as malware.magento_shoplift.273, has emerged as a significant threat to WordPress-based e-commerce sites. The malware employs an innovative approach by injecting malicious JavaScript directly into the website's database, specifically targeting the wp_options table's widget_block entry. This method allows it to evade traditional security measures that focus on file-based malware detection.

The skimmer activates exclusively on checkout pages, either by hijacking legitimate payment fields or creating convincing fake credit card forms to capture sensitive data. The stolen information, including credit card numbers, CVV codes, and billing details, undergoes Base64 encoding and AES-CBC encryption before being transmitted to attacker-controlled domains. The malware's sophisticated design enables it to operate stealthily, using the navigator.sendBeacon function to exfiltrate data without disrupting normal user activity. This development presents a particular challenge for retail and hospitality sectors, where e-commerce platforms are crucial for daily operations.

IADS Notes: The discovery of this sophisticated card skimmer represents a concerning evolution in retail cybersecurity threats. In December 2024, Stripe blocked nearly 21 million fraudulent transactions worth USD 917 million during just one weekend, highlighting the scale of payment security challenges. The skimmer's technique mirrors the June 2024 Neiman Marcus breach, where attackers compromised cloud databases to access customer data. With mobile transactions now accounting for 70% of global sales, this threat is particularly significant for retailers navigating digital transformation while maintaining security.

Sophisticated card skimmer targets WordPress checkout pages via database injection

What: RH-ISAC has released its Holiday season cyber threat trends 2024.

Why it is important: For the retail, hospitality, and travel community, the holiday season is the most intense time of year for consumers and cybersecurity professionals facing persistent threats. From the beginning of October through the end of December, cyber threats to organizations expand in both scale and intensity to match the rise in consumer traffic.

The key takeaways of member analysts’ provide critical insight into the active defensive trends in the retail sector. Social engineering and fraud remain critical concerns, with

various types of fraud increasing dramatically in the current period. Organizations are seeing an increase in the prevalence of call-based social engineering, loyalty and gift card fraud, and DoS attacks.

Holiday season cyber threat trends 2024

Who: The Retail & Hospitality Information Sharing & Analysis Centre (RH-ISAC) is the cybersecurity sharing and collaboration community for the consumer-facing business sector. As Vice President of Membership, Luke is responsible for member growth and engagement, as well as as part of the leadership team overall organisational strategy. The RH-ISAC is a dynamic community with more than 250 member companies. It partners with key trade associations to strengthen the collective efforts to improve cybersecurity in our shared sectors. Before joining the RHISAC, Luke held similar positions at the Society for Corporate Governance and the Academy of Management.

Why it is important: Luke presented an overview of retailers' current cybersecurity threats. He highlighted ransomware, social engineering, and third-party risks as the most significant concerns. He explained RH-ISAC's function as a non-profit cybersecurity organisation partnering with retailers. His presentation highlighted the partnership inked between the IADS and RH-ISAC as an exclusive perk to its members. It was part of the 2024 programme, during which every IADS partner came to introduce their actions to the CEOs.

Introduction to RH-ISAC 2024

The financial impact of cyberattacks on department stores

What: RH-ISAC has released its monthly leadership briefing. In August 2024, third-party breaches and supply chain vulnerabilities continued as the primary driving force for the retail and hospitality community threat landscape.

Why it is important: The ongoing third-party breaches and supply chain vulnerabilities highlight the critical need for businesses and individuals to ensure the security of their digital interactions, as these incidents can directly impact the services they rely on daily. Additionally, the global outages caused by the Crowdstrike update and vulnerabilities in widely used services like TeamViewer and OpenSSH emphasize the importance of staying informed and prepared for potential disruptions that could affect operations, data privacy, and personal security.

For the month of July 2024, third-party breaches and supply chain vulnerabilities continued as the primary driving force for the retail and hospitality community threat landscape. The global outages resulting from a problematic Crowdstrike update consumed resources and attention of IT and cyber teams across global regions and industries in July, in addition to major vulnerabilities and incidents at ubiquitous services such as TeamViewer and OpenSSH.

August 2024: Monthly Leadership Briefing

On July 19, 2024, there were signifficant Crowdstrike/Windows-related outages affecting nearly every industry globally. While these outages are not observed to be a security issue, they do involve security software. Here is some detailed information outlining the outages and how to mitigate the attacks. Due to the technical nature of this information, it is advised to direct it to a CISO or CIO.

Context

On 19 July 2024, widespread outages of Windows systems were reported across industries and global regions. According to BleepingComputer, "A faulty component in the latest CrowdStrike Falcon update is crashing Windows systems, impacting various organizations and services across the world, including airports, TV stations, and hospitals.

The glitch is affecting Windows workstations and servers, with users reporting massive outages that took offline entire companies and fleets of hundreds of thousands of computers. […] The company revealed that the culprit is a Channel File, which contains data for the sensor (e.g. Instructions). Since it is just a component of the update for the sensor, this type of file can be addressed individually without removing the Falcon Sensor update."

As of this writing, Crowdstrike maintains that the issue is not threat-related.

Crowdstrike & Windows outages report

What: RH-ISAC has released its monthly trade association briefing. In June 2024, third-party breaches and supply chain vulnerabilities were major threats in the retail and hospitality sectors, with significant vulnerabilities found in GitLab, MOVEit, CDK, and Snowflake.

Why it is important: Understanding these primary threats and vulnerabilities helps organizations prepare for potential cyberattacks and ensure business continuity. Timely updates and mitigations are crucial to protect against known vulnerabilities and minimize exposure to cyber threats. Monitoring trends and identifying active threat actors enable organizations to prioritize their defensive strategies effectively.

For June 2024, third-party breaches and supply chain vulnerabilities were significant threats in the retail and hospitality sectors. Key vulnerabilities were identified in GitLab, MOVEit, CDK, and Snowflake, with the RH-ISAC Intelligence Team recommending updates and technological tools for managing them. Trends showed a shift in TTPs, with Carbanak, FIN8, and Black Basta emerging as top threat actors. Understanding these threats and implementing recommended mitigations is vital for maintaining robust cybersecurity defenses.

July 2024: Monthly Trade Association Briefing

What: RH-ISAC has released its Retail & hospitality intellegence trends summary: April – June 2024.

Why it is important: This report underscores the ongoing reliance of cybercriminals on established threat vectors like phishing, emphasizing the need for businesses to strengthen their defenses against these common attacks. The continued focus on third-party and supply chain risks highlights the importance of robust vendor management and risk assessment processes to safeguard against potential breaches and disruptions. Through active participation in intelligence sharing and analysis, businesses can better anticipate and respond to evolving threats, ensuring their security strategies are both proactive and adaptive.

In the RH-ISAC Intelligence Trends Summary for Q2 2024, the retail, hospitality, and travel sectors continued to face significant security challenges, with phishing and fraud remaining the most reported threats. The report highlights the community's active intelligence sharing, emphasizing insights gained from analyzing threat trends, including the persistent risks from third-party and supply chain vulnerabilities.

Retail & hospitality intellegence trends summary: Q2 2024

What: RH-ISAC has released another benchmark report "Prioritizing Security for Success - Analyzing Organizational Security Structures," in addition to their 2024 CISO report, that analyzes staffing data, organizational priorities, and other key indicators to offer insight into cybersecurity teams across the the consumer goods & services, retail, hospitality, and travel industries. This report can help teams discern security functions to prioritize amidst the evolving cyberthreat landscape.

This Cybersecurity Organogram Analysis dives into the organizational intricacies of cybersecurity functions, highlighting key functions that are paramount.

Why it is important: In the bustling realm of today's digital landscape, where data reigns supreme and cyber threats loom ever larger, safeguarding sensitive information has become an imperative for organizations worldwide. Amid this backdrop, Accenture in partnership with RHISAC, embarked on a research exercise, delving into the cybersecurity organizational structures by analyzing the Security Organograms of 66 companies across the Consumer Goods & Services (CG&S), Retail, and Travel & Hospitality industries.

Within this landscape, organizational structure emerges as the backbone of cybersecurity efforts, dictating how resources are allocated, strategies devised, and risks managed. Since the digital world connects everything, ensuring its security is essential, as digital exposure and vulnerabilities continues to expand.

First, prioritizing cybersecurity involves integrating it into organizational strategy and culture, requiring a clear understanding of risks and their potential business impact. This also highlights the importance of leadership endorsement in securing adequate resources and support for cybersecurity initiatives. Second, optimizing efficiency becomes possible by uncovering organizational inefficiencies or bottlenecks, enabling companies to streamline processes,allocate resources effectively and enhance operational efficiency. Third, examination of cybersecurity organizational layouts aids in identifying and mitigating potential security risks, allowing proactive measures to address vulnerabilities and shield against cyber threats.

The comparative analysis of cybersecurity structures across industries provide valuable benchmarks and insights into best practices, empowering organizations to adopt proven strategies and bolster their cybersecurity posture.

2024 Organizational security structures report

What: The RH-ISAC CISO Benchmark Survey, conducted in partnership with Booz Allen Hamilton, reveals that a majority of Chief Information Security Officers (CISOs) anticipate increased budgets and staffing for cybersecurity in 2024, with a focus on vulnerability management and zero trust architecture.

Why it is important: This trend underscores a growing business recognition of cybersecurity risks and the need for enhanced program maturity amidst challenging budgetary conditions. It highlights the strategic areas where CISOs are investing resources to bolster security defenses against rising threats like Ransomware/Malware.

The 2024 outlook for cybersecurity within organizations appears promising, with 56% of CISOs expecting budget increases and 60% anticipating more full-time employees (FTEs). This optimism is part of a three-year trend, despite about 10% of CISOs bracing for budget cuts. The survey indicate a shift towards prioritizing vulnerability management and adopting zero trust architecture to mitigate threats effectively. Interestingly, there's a noted decrease in staff for Security Operations/Incident Response, which remains a highly outsourced service due to the demand for advanced security analytics and fraud detection.

The survey also provides guidance on budget allocation across various cybersecurity domains and suggests that CISOs expect to see improvements across all areas of their programs, especially in the "Recover" category of the NIST maturity analysis. Despite the potential of Generative AI as a business enabler, it poses significant concerns for security leaders, unlike the new SEC requirements, which seem to be of lesser worry as organizations review their existing plans with executive leadership.

This year's survey, with its highest participation rate yet, offer a comprehensive view of the current state and future directions of cybersecurity efforts across different sectors, emphasizing the critical role of CISOs in navigating the evolving landscape of digital threats and regulatory requirements.

2024 CISO Benchmark report

What: RH ISAC reviews cybersecurity threats from the 2023 holiday season.

Why it is important:For the retail, hospitality, and travel community, the holiday season is the most intense time of year for consumers and cybersecurity professionals facing persistent threats. From the beginning of October through the end of December, cyber threats to organizations expand in both scale and intensity to match the rise in consumer traffic.

In order to examine the threat landscape facing members during the holiday season, RH-ISAC developed this report, the 2023 RH-ISAC Holiday Season Threat Trends Summary. The report is in four parts:

1. Member Perspectives: In which key subject matter experts from leading member organizations provide their insights into their current defensive preparations.
2. Threat Landscape: Where the RH-ISAC team examines the threat trends reported by the member community for previous holiday seasons from a historical and analytical perspective.
3. Associate Member Analysis: In which Akamai highlights key trends for the holiday season, including malicious bot traffic and Magecart-style attacks.
4. 2022-2023 RH-ISAC Ransomware Threat Landscape Comparison: In which threat analysts from RH-ISAC highlight major shifts in the ransomware threats facing the community over time.

2023 holiday season cyber threat trends

What: RH ISAC reviews new SEC cybersecurity rules regarding disclosure of cybersecurity incidents to enhance protocols and establish new processes.

Why it is important: This report discusses the significance of adhering to the new SEC standards, which is critical because non-compliance risks both legal and reputational implications. Organizations must swiftly identify material incidents to avoid unreasonable reporting delays.

To ensure compliance, RH-ISAC developed this report for retail and hospitality organizations outlining the proactive steps to be taken including enhancing incident response protocols, establishing transparent materiality determination processes, streamlining communication through standardized templates, providing necessary training, and collaborating with legal and technical experts. These measures are essential for not only achieving compliance but also mitigating the legal and reputational risks associated with cybersecurity incidents.

How Organizations Can Prepare to Comply with New SEC Cybersecurity Reporting Rules

Formed in 2014 as the home of the Retail and Hospitality Information Security and Analysis Center (ISAC), it operates as a central hub for sharing sector-specific cyber security information and intelligence. The association connects information security teams at the strategic, operational and tactical levels to work together on issues and challenges, to share practices and insights, and to benchmark among each other – all with the goal of building better security for the retail and hospitality industries through collaboration.

RH-ISAC currently serves companies in the retail, hospitality, gaming, travel and other consumer-facing entities.

As an official partner of the IADS, members have access to conferences, events and other resources, including their blog and podcast episodes.

Check them out below!

Read the blog

Listen to the podcast

Visit the RH-ISAC website

What: RH ISAC reviews cybersecurity threats from the 2022 holiday season.

Why it is important: For the retail, hospitality, and travel community, the holiday season is the most intense time of year for consumers and cybersecurity professionals facing persistent threats. From the beginning of October through the end of December, cyber threats to organizations expand in both scale and intensity to match the rise in consumer traffic.

In order to examine the threat landscape facing members during theholiday season, RH-ISAC developed this report, the 2022 RH-ISAC Holiday Season Threat Trends Summary. The report is in three parts:

1. Member Perspectives: In which key subject matter experts from leading member organizations provide their insights into their current defensive preparations.
2. Threat Landscape: Where the RH-ISAC team examines the threat trends reported by the member community for the 2020 and 2021 holiday seasons from a historical and analytical perspective.
3. Associate Member Analysis: In which threat analysts from RH-ISAC associate member Flashpoint provide their perspective on the current holiday season threat landscape based on their research and data.

2022 holiday season cyber threat trends

What: For the retail, hospitality, and travel sectors, RH-ISAC reviewed the Verizon report and identified the key trends and findings most relevant to the community and the key industries listed that most closely align with their community's sectors of retail and hospitality.

Why it is important: This report compares some of the key takeaways from the Verizon Report with RH-ISAC's own member data, providing additional context

to help members benchmark their threat landscape against a wider community.

Across all industries surveyed, Verizon reported core metrics and trends:

» The most common attack methods were: stolen credentials, ransomware, and phishing

» The most commonly targeted data were: payment data, personally identifiable information (PII), credentials, intellectual property, and non-sensitive data

» 73% of breaches were executed by external actors, and 18% of breaches were executed by internal actors

» 39% of attacks originated with third-party vendors

» 82% of incidents resulted from human error, and these errors were split between clicking on phish links and failing to follow standards which resulted in business email compromise.

» Most indicators of compromise (IOCs) had relatively good value for blocking

» Hashes had relatively low value, but IP addresses, domains, network artifacts, tools, and TTPS all were valuable for blocking

2022 industry insights report