The Supply Side: Walmart cybersecurity team handles over 200 billion events annually

by Kim Souza ([email protected]) 5,300 views 

Data breaches are always on the minds of retailers regardless of their size. In brick-and-mortar stores or online, all retailers face millions of hacker threats each day.

Walmart recently held its third annual Sp4rkCon (pronounced “Spark Con”) Information Security conference in Bentonville at the David Glass Technology Center. About 1,000 people attended the full-day conference, the majority of whom did not work for the retail giant.

Walmart said it holds the free seminar to convene small businesses and other cybersecurity professionals regardless of the industry they serve. Any business that stores customer data is at risk for a data breach.

Jugal Parikh, senior data scientist at Microsoft, was one of the keynote speakers. He said in January, 64 million people in 232 countries around the world were hit by hacker attacks. He said 60% of those attacks were over within one hour, and 48 million were first-time events.

He said more companies are using machine learning to help detect hackers and even predict the threats before they happen.

“If we don’t block them at first sight, then we have failed,” he said.

Parikh said by utilizing machine learning, companies can move with increased speed to predict the attacks and fend them off before a breach can occur. The average data breach in the U.S. costs $7.91 million, according to an IBM study in late 2018.

IBM’s report on U.S. companies showed the average size of a data breach was 31,465 stolen records per event, bigger than the global average of 24,615 stolen records per breach. The bigger the breach, the more costly it is for a business because of the added resources needed and the lost business cost.

The report found a breach of 1 million records on average costs businesses $40 million compared with a breach of 50 million records, which costs $350 million. The majority of U.S. data breaches (52%) are criminal. Another 25% involve human error or employee negligence, and 23% result from a system glitch, according to the report.

IBM reports the cost to resolve the breach costs $157 per record on criminal attacks, $131 per record for system glitches and $128 per record for human error or negligence.

In the U.S. it took 201 days to identify a breach and 52 days to contain it. The biggest risk to businesses after a data breach is the loss of customers. IBM said in the U.S., the cost of lost business averaged $4.2 million per breach, which factors in abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill.

Adam Ely, vice president and deputy chief information security officer at Walmart, said 40% of the time when a small business gets hacked “they are done.” Ely is one of 600 people who work in Walmart’s Information Security division. The information security team is based around the world, and Ely is based in Silicon Valley.

Walmart needs the massive team to run interference against hackers seeking to breach the company’s 500,000 network devices, 38,000 servers, three global data centers and 250 million customer transactions per week.

Walmart said its cybersecurity team handles more than 200 billion events each year and places considerable resources into keeping its vast data networks safe from hackers. Ely said Walmart protects its own data and stores from hackers, in addition to protecting the 16 startups it has acquired over the past three years.

One way Walmart said it accomplishes that task is by assigning employees to a “red” team that works to continually test the system by trying to hack into it. Other employees are assigned to a “blue” team that continually works to defend against attacks from the red team and the real threats from outside hackers. About two years ago, Walmart began to employ a “purple” team to maximize the benefits from the blue and red teams who constantly work against each other.

Jason O’Dell, senior director of incident management at Walmart, is responsible for the company’s data assurance, cyberintelligence and incident response across Walmart’s 11,300 stores in 27 countries and weekly customers and 2.2 million employees. He said running a “purple” team approach was necessary at Walmart because of the company’s large size.

“We have 3 million IP addresses on our network and over 2.2 million employees. If 0.0001% of our associates were malicious we’d have 230 malicious insiders,” O’Dell said. “It has taken us two years to change the mindset and effectively run a ‘purple’ team strategy getting the best from the red and blue teams so that 1 + 1 = 3.”

Continuing, he noted, “The first attempt was like a dumpster fire. But over time we have done a much better job with the ‘purple’ team approach predicting threats and defending against them.”

The high profile data breach at Target in 2013 resulted in an $18.5 million settlement, but the overall cost to the retailer was much higher. Target also paid $10 million to settle a class-action lawsuit in 2015. The company also agreed to pay up to $10,000 to consumers who provided evidence they suffered losses from the data breach. With a loss of customers in the first few quarters following the breach, the total cost of that breach was an estimated $300 million as of mid-2017.

The Target breach involved hackers out of Ukraine who penetrated the system for an air conditioner vendor to Target. They got into the Target vendor’s computer through an email attachment and then made their way into Target’s system accessing the retailer’s customer payment records.

Eddie Bauer recently reached a settlement on its data breach in 2016, which involved 350 stores in the U.S and Canada. The Bellevue, Wash.-based retailer said it will pay roughly $10 million to settle with the Waterloo, Iowa-based Veridian Credit Union and other banks impacted by the breach.

That hack occurred when its point-of-sale systems were breached after malware stole customer data between Jan. 2, 2016, and July 27, 2016.

Eddie Bauer management labeled it a third-party criminal cyberattack.

Editor’s note: The Supply Side section of Talk Business & Politics focuses on the companies, organizations, issues and individuals engaged in providing products and services to retailers. The Supply Side is managed by Talk Business & Politics and sponsored by Propak Logistics.