Post-Pandemic Data Privacy and Protection Risk Considerations for Retailers

2020 was a market-shaping year for the retail industry. The contactless shopping experience has led to dramatic and dynamic changes to retail operating models. While some retailers achieved record earnings, many struggled to adapt and at least 50 major US retailers entered bankruptcy. In an industry with already paper-thin margins, retailers are faced with consequential decisions as they reimagine the consumer experience and supply chain models.

According to a 2021 Deloitte analysis of retail C-suite executives, the top investment priority is digital acceleration. Yet, digital touchpoints are now table stakes for consumers and retailers alike.

For example, retailers are reimagining person-to-person interactions digitally with the use of live streaming and many are leveraging customer data and analytics to customize interactions and offerings and better anticipate fulfilling customer expectations. These shifts place more value on customer data, artificial intelligence and partner services and integrations (web and supply chain) for retailers. They also place strong emphasis on an important bond between consumer and retailer around trust and data privacy and protection. Today, however, research conducted by Deloitte on consumer perceptions of data privacy and protection concludes retail customers feel vulnerable. A data privacy and protection trust gap exists which retailers need to address as part of their post-pandemic transformation strategy.

View and download case study

Download now


of retailers may be vulnerable to web skimming based on a non-intrusive client-side data theft analysis


of data breach incidents within the retail industry in 2020 included personal or payment data


of data breach attacks within the retail industry in 2020 was financially motivated

Building trust - bridging the data privacy and protection gap

Retailers have an opportunity to build on the consumer trust achieved during the pandemic and grow these relationships through differentiated offerings and experiences. Yet, as retailers increasingly depend on customer data, customers are moving in an opposite direction and want more privacy control and protection. At the same time, cybercriminals are bypassing retailers’ server-centric web security; hackers are targeting customer browser sessions via Magecart-like attacks on JavaScript to steal valuable payment and customer data. Retailers are addressing this “trust gap” by granting consumers more transparency and control of data use and by extending their web security perimeter from the server to the client.


of consumers rate retailers unfavorably on data privacy, according to a Deloitte 2021 study


of retailers have digital acceleration as the top investment priority for 2021, followed by supply chain resilience

Client-side data breach and compliance risks

One of every two data breaches is the result of hackers according to a Ponemon 2020 study. With the web browser now a highly targeted attack surface, retail companies are extending their server-centric security perimeter to the web browser to address several client-side vulnerabilities:

Ad injection/malvertising

Hackers infiltrate ads and ad networks to corrupt and divert ecommerce experiences and conversions (journey hijacking) and steal ad revenues.

Data leakage

Transmission of data to an external recipient or destination, authorized or unauthorized, and happening either accidentally or with malicious intent.

JavaScript injection via third-party web supply chain

Hackers infect a retailer’s web supply chain via JavaScript injection to covertly penetrate the online experience and steal information. Third-party services enhance the customer experience by adding important features. The underlying JavaScript code originates from third parties or their extended ecosystem and loads at runtime, making it hard for retailers to control and validate.

JavaScript injection

Retailer websites utilize a heavy amount of JavaScript. JavaScript, both server and client side, makes user experiences dynamic. Because this code has access to web page data, hackers look for ways to covertly inject malicious code to read and steal data.

Formjacking/web skimming

Formjacking mimics real-world card skimming. Malicious code secretly captures data as your customers submit data during log in and checkout. The data is then transmitted to a criminal destination.

CSS injection

This vulnerability involves malicious CSS code being injected into a retailer’s website at runtime. Compromised CSS code can extract sensitive data.

Man-in-the-Browser (MitB)

The hacker first finds a way to infect the customer’s device. Once infected, the malware installs itself on the browser without the customer’s knowledge. The malware then records sensitive data sent between the customer and retailer and transmits it to a criminal site.

HTML tags

Tags are used to facilitate the collection and sharing of data between a retailer’s website and third-party technologies. Tag code, delivered at runtime, instructs the browser to send data to third parties and allows third parties access to data collected on the site. This risk is further compounded when third parties include tags for their partners (piggybacking). Tags can impact security and performance.


Keyloggers are a type of monitoring software designed to record keystrokes made by a user. Keystroke loggers record the information your customers type into your website and send to hacker sites.

Learn more about Ensighten and our solution

Online skimming blog
Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks
Read now
Web-based attacks guide
Learn more about website attacks and how the most common methods for exposing data are often overlooked
Read now
Online demo
See the Ensighten solution in action to learn how we can help ensure client-side web security
Book now