Top retailers data breaches (and what it means for consumers)

As consumers, we want to protect your personal information and feel safe while transacting with our favorite brands and retailers. Unfortunately, many companies suffer from data breaches.

Data breaches can negatively impact businesses and individuals. Criminals can gain access to your personal information, which they can use for countless criminal activities.

Now, what proper security measures should you have in place to help protect your personal information, especially after a data breach?

We checked various data safety sources online to understand how data breaches happen. 

We also looked at the latest cases of data breaches among retailers. Hackers get innovative with their methods by the day, so it pays to stay updated on the latest tactics they use. 

We also requested expert insights on what to do after a retail data breach.

In the end, we share the top tip on how to protect your information from crimes like identity theft when a security breach happens. So, stick with us and avoid leaving your information vulnerable. 

What is a retail data breach?

A retail data breach happens when customer data that retailers have been compromised. Criminals can steal sensitive information, which can include the following:

  • Names
  • Addresses
  • Contact numbers
  • Credit card numbers
  • Account passwords 

Criminals then use this information to go on unauthorized purchase sprees, as well as commit identity fraud. In some cases, hackers target company data or accounts to sell on the internet for more money.

There are various types of data breaches, but here are some of the most common ones in the retail industry:

  • Ransomware: This pertains to accessing customer data, like saved credit card information, which is kept and locked until a ransom has been paid.
  • Malware: Malware or virus comes from fake websites or malicious files that hijack computer functions after being downloaded enough to collect customer data. 
  • Phishing: This pertains to emails posing as retailers, banks, and other trustworthy companies trick consumers into giving away information. 

Well-known examples of retailer data breaches

Big or small retailers can suffer from data breaches. Some have minimal impact, while others are significant. 

Here are some of the biggest data breaches among retailers within the last five years:

Estée Lauder (2020)

In February 2020, Jeremiah Fowler, a security researcher, found an unsecured online database containing data from American cosmetics company Estée Lauder.

The online database contained data from around 440 million customer records, which included email addresses, storage information, and IP addresses. 

Anyone could access the information, making it a high-risk data leak. Because it was open and unsecured, criminals didn’t even have to have advanced hacking skills to harvest the data.

The company reported that middleware security failures are responsible for the leak. Although Estée Lauder stated that the database didn’t contain financial information, this data breach still would’ve left many customers vulnerable to phishing, doxxing, and identity theft.

Lax security measures from large companies like this should warn anyone that even retail giants sometimes don’t exercise enough caution with your data, so it’s best to be careful with what you share with retailers.

DoorDash (2019)

In May 2019, the food delivery platform DoorDash reported that it encountered a data breach. The leak involved 4.9 million customer records.

DoorDash detected that a third-party provider had been acting unusually, and the company’s security team investigated the case. The staff found that a third-party gained access to some user information.

The breach didn’t affect all users, but it compromised the data of millions of customers and merchants who signed up on the platform on or before April 5, 2018.

The undisclosed third party accessed information like email addresses, delivery addresses, names, phone numbers, and transaction histories. The breach also exposed some driver’s licenses and payment details.

DoorDash claimed to have reached out to affected users.

Under Armour (2018)

In March 2018, sports brand Under Armour issued a public announcement of a data breach, which affected its food and nutrition application, My Fitness Pal. 

The company reported that the breach affected over 150 million users, and a third party has accessed their usernames and email addresses. 

Thankfully, the company collected and processed customer payment information details separately, keeping them safe from the data breach. 

Under Armour also reported that it didn’t collect identifying information, including driver’s licenses and social security numbers. 

Forever 21 (2017)

Forever 21, a popular fast fashion chain retailer, suffered data breach attacks for seven consecutive months in 2017 and only reported it in January 2018. It didn’t disclose the extent of the leak.

Hackers compromised POS (point of system) devices that allowed them access to customer credit cards. The hackers further strengthened this effort by installing malware that harvested card data. 

To resolve the matter, Forever 21 claimed that it hired a leading security and forensics team to conduct an investigation. The company also notified its customers, reminding them to monitor credit card statements for unauthorized charges closely.

Best Buy (2017)

Best Buy suffered a sustained data breach on September 27 and October 1, 2017. However, the company didn’t report the leak until April 2018, and it didn’t mention how many customers the incident affected. 

Hackers installed malware into the retailer’s chat software, stealing customer credit card details and other personal information. Customers who purchased from Best Buy or own a Best Buy credit card are likely victims of the breach. 

Best Buy posted this notice on its website to answer for its security lapses about the data breach. It informed users that the company would reach out to them and reminded them that they could get free credit monitoring services.

Retail data breaches: How much do they cost companies?

According to the 2021 Cost of a Data Breach Report, retail data breaches cost around $3.27 million on average. This is a huge leap from 2020’s data stating that they cost companies $2.01 million on average.

As previously mentioned, besides the expenses that data breaches incur, companies can also lose money due to litigation, customer compensation, and security improvements.

How can a data breach impact a retailer?

When a data breach occurs, companies work hard to keep the public damage minimal. This makes the consequences rather difficult to know. 

Companies can suffer devastating damage, including the following effects:

  • Direct fines and fees: Unfortunately, The Payment Card Industry Security Standards Council may impose fines and penalties, along with regulatory agencies and other partners. 
  • Damage to reputation and loss of consumer trust: You naturally wouldn’t trust a company that can’t keep your information safe—and this can be devastating for brands and companies. 
  • Additional security costs: Following a breach, a company will be obligated to offer credit monitoring to help customers keep their finances safe.

It will take time and hard work for retailers to gain the full trust of their customers. They may also have a hard time attracting new customers.

Data security challenges that retailers face

Retailers face numerous security challenges that can leave them vulnerable to data leaks. 

Here are some of the most common examples of what they must address:

1. Third-party attacks

Retailer data breaches can occur due to third-party attacks, such as what happened to DoorDash in 2019. 

Because retailers nowadays work with numerous third-party networks, they’re vulnerable to third-party cyber attacks.

Retailers must always work with trusted third-party partners to avoid these attacks. They also must invest in breach reporting and activity monitoring services.

2. Malware attacks

Cybercriminals can send malware and ransomware attacks to retail servers. 

When this occurs, users may be unable to access their files and have to pay hackers to take control back. 

Backups and anti-malware technology are necessary to address these incidents.

3. Human factors

As the 2020 Estée Lauder data breach case proves, malware and third-party attacks aren’t the only risks that retail companies must address. 

Aside from having robust security systems, businesses must educate staff about the dangers of leaks, how to prevent them, and what to do when they happen.

How to help protect your information?

Boris Jabes, CEO and co-founder of data integration platform Census, provides us with this expert advice:

“There are a few things you can do to protect your personal information if you have been involved in a data breach. First, change your passwords for any accounts that were affected, and be sure to use strong passwords that are difficult to guess. Consider using a password manager to help keep track of all your different passwords.” 

“You should also be careful about what personal information you share online, and be wary of any emails or phone calls from unfamiliar sources asking for your personal information,” he adds.

Jabes also reminds users to keep an eye on their credit reports and financial statements for any unusual activity, which could signify that their personal information is at risk. 

If you see anything suspicious, you must report it to the proper authorities immediately.


A data breach can be disastrous for any retail business. It leads to loss of revenue, fines on top of fines, and damaged customer trust. 

Coming back from a data breach can also be extremely expensive, far more than installing security measures in the first place.

A retail data breach may be out of your control as a consumer. However, it’s important to understand that you have rights as a customer following a breach. 

You have the right to be informed as soon as a data breach occurs and access to proper identity theft services like credit monitoring.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
Scroll to Top