The Year Ahead: Shoring Up Fashion’s Cyber Defenses

This article first appeared in The State of Fashion 2022, an in-depth report on the global fashion industry, co-published by BoF and McKinsey & Company. To learn more and download a copy of the report, click here.

Arguably, it has never been more urgent for fashion leaders to build resilience against cyber attacks. Cyber crime is becoming increasingly common and sophisticated, and consumers are shopping online more frequently and enthusiastically, giving businesses access to valuable data in the process. The concurrent growth of both activities leaves companies increasingly vulnerable to risks associated with data security and — ultimately — with company reputation.

The pandemic-induced acceleration of e-commerce uptake has played a role in heightening these risks. With e-commerce’s share of global fashion sales nearly doubling between 2018 and 2020 in some regions, momentum has been building for further growth. By 2025, e-commerce is expected to account for one third of all global fashion sales, reaching 40 percent and 45 percent in the US and China respectively. A record number of cyber attacks took place worldwide in 2020, resulting in significant data losses across industries. Retail, including fashion retail, was the fourth most-attacked industry, with companies across different categories and value segments suffering breaches.

Events compromising the integrity, confidentiality or availability of data in retail rose by 152 percent in 2020 compared to 2019, and the number of security breaches increased by 33 percent. Several fashion companies have already experienced severe attacks, such as Hudson’s Bay Company’s Saks Fifth Avenue and Lord & Taylor, which were victims of the theft of more than 5 million credit and debit card numbers in 2018, and Neiman Marcus, which more recently suffered a data hack on the personal and payment data of 4.6 million online customers in 2021.

“[Cyber crime] is getting worse for two reasons,” said Lance Spitzner, senior instructor at the US-based SANS Institute, a cooperative for cyber security professionals. “It’s becoming more and more profitable, so cyber criminals are going to follow the money… [and they] are getting much better at it, too. It’s become an entire industry now… [with] the cyber criminal community specialising in different fields.”

If fashion leaders are to protect their e-commerce growth in 2022 and beyond, they must shore up their cyber defences. That means reducing data risks throughout the data handling lifecycle, through collection, use and disposal, and in operations spanning the entire value chain.

In product development, for example, processes including design, drafting of manufacturing standards, certification, sketching and prototyping have been widely digitised, and the data is now routinely stored online, meaning that intellectual property (IP) in the digital realm requires more robust protection. With the rise of valuable digital assets such as NFTs, the need to protect online assets will only intensify.

In the e-commerce sales environment, distributed denial-of-services (DDoS) or ransomware attacks could lead to entire website or app shutdowns, directly impacting revenues. For example, one of Brazil’s largest clothing store chains, Lojas Renner, faced a ransomware attack on its e-commerce system in August 2021 which resulted in the shutdown of its systems and operations.

Digital risks associated with sales are not confined to e-commerce, however. Stores are increasingly augmented with technology, both on the shop floor and at checkout. Premises with virtual fitting rooms, in-store tablets and customer apps are vulnerable to attacks that can cause operational failures. In food retail, the supermarket chain Coop Sweden was the victim of a ransomware attack on a software supplier in 2021, which led to the closure of around half of its physical stores. The attackers demanded $70 million to restore data from all companies affected by the attack. Similarly, South Korean fashion conglomerate E-Land suffered a ransomware attack in 2020 that caused 23 of its 50 stores to close.

Another critical weak spot for fashion businesses is in customer data collection and handling. With the personalisation of customer experience increasingly playing a role in online interactions and companies seeking out an even wider array of data points to inform which products are brought to market, customers are sharing more personal data than ever before. This includes their names, addresses, location history, preferences, payment card data, shopping history, loyalty programme information and even information about their body shape and size. Not only does this increase the risk of improper data handling internally, it can also expose companies to risk externally when they share customer data with third parties — and when those third parties are located in different legal jurisdictions, they are subject to different privacy and data laws.

The shift to direct-to-consumer business models has both increased the potential to collect consumer data and made brands more vulnerable to breaches and attacks. In September 2021, fashion and beauty subscription service FabFitFun agreed to a monetary settlement of $625,000 in response to a claim that it failed to adequately protect and secure consumer data against hacker data scraping, which resulted in a data breach that compromised customers’ payment card information.

Attackers can harvest such data to sell to third parties or to attack customers directly. Furthermore, fashion brands’ presence on a growing array of social media platforms across international markets exposes both companies and employees to additional threats, including the accidental or deliberate leaking of data that could cause harm to brands.

Whatever cyber protection you had last year, last quarter, last month, yesterday, it’s not going to be enough for tomorrow.

—  Stefan Larsson

“Whatever cyber protection you had last year, last quarter, last month, yesterday, it’s not going to be enough for tomorrow,” said Stefan Larsson, chief executive of PVH Corporation, the parent company of Calvin Klein and Tommy Hilfiger. “To me, it starts with an awareness that the risk is… increasing, and getting really close to it, [and then] getting humility across the organisation that this is a continuous ongoing work of improvement.”

Alongside financial and reputational drivers, there is growing regulatory pressure on fashion companies to tighten cyber and data security, largely sparked by Europe’s General Data Protection Regulation (GDPR). The consequences for non-compliance can be severe. In July 2021, a Luxembourg government entity alleged that the EU law had been breached by Amazon, prompting it to level a $886.6 million fine against the e-tailer.

In the US, one example of increased legislation is the California Consumer Privacy Act (CCPA) which took effect in July 2021. It gives consumers the right to know what personal data a company has access to and who it is shared with. In Brazil, the Lei Geral de Proteção de Dados (LGPD) came into force in 2021. The law imposes penalties of up to 2 percent of annual revenues on companies that fail to protect customer data. Meanwhile, China’s new data security law which came into effect in November 2021 will regulate how companies collect and handle personal data. It also aims to ensure data is protected when transferred outside the country.

“There’s a great deal of confusion, because there are so many standards out there [across different jurisdictions]… as well as a desire to — if we can — get global harmonisation, or at least within the US have a federal standard that supersedes state standards,” said Susan Scafidi, founder and academic director of the Fashion Law Institute at Fordham Law School in New York. “Hanging over all of this is this question of who owns our personal data, and who has the right to exploit it, and how.”

There is evidence that consumers are increasingly aware of their data rights. In 2019, around 60 percent of European consumers knew that rules exist to regulate the use of their data, an increase from around 40 percent in 2015. However, consumer attitudes remain uneven across jurisdictions. Consumers in the US and Europe are more concerned about corporate accumulation of personal data, while those in Brazil and China are more comfortable trading data privacy for personalised services.

In aggregate, the costs of data breaches and ransomware attacks are significant. Direct costs could include penalties and fees, lawsuits, remuneration to customers and the cost of recouping data. Experience shows that significant data breaches can cost companies tens of millions of dollars. There are also indirect costs associated with a potential loss of consumer trust and the struggle to acquire new customers following an incident.

Though complex cyber security measures often require significant investment, there are ways for SMEs and companies with fewer resources to take steps to improve their security. According to Spitzner, since the majority of attacks are still somewhat rudimentary, company leaders should at least focus on the basics. “If you don’t know where to start, start improving your defences in phishing and passwords,” he said.

In an increasingly complex online ecosystem, there is an imperative for fashion companies to boost their operational resilience when it comes to cyber security and allocate a greater proportion of their budget to such defences. That means assessing and actively managing cyber and data risk exposure in the business itself, its third parties and its value chain. Leaders will need to take a risk-based approach, building in-house knowledge and resources while also considering leaning on external support from cyber security firms. Other industries have concentrated these efforts around a dedicated role such as the chief information security officer, who closely ties into legal and privacy teams.

Data is becoming both a strategic asset and a source of financial, reputational and operational risk. To meet customer expectations and comply with regulation, companies should put in place clear standards for the collection, use and storage of data. Moreover, they need to increase awareness of — and accountability for — threats while testing their cyber resilience through initiatives such as training frontline personnel on the sensitivity and handling of data. To prepare employees for the occurrence of a breach or attack, they should regularly organise cyber-attack simulations to test their response practices in real time, including the handling of communications to internal and external stakeholders. While there are many competing items on the C-suite agenda, cyber risk cannot be neglected.