Top 11 Retailers Who Need Better Cybersecurity

Last updated by UpGuard on December 9, 2019

scroll down
There's no arguing that internet retailers have it tough these days: web server vulnerabilities, expiring SSL certificates, PCI DSS compliance, and a host of other issues keep the most vigilant of retailers on their toes—all this, mind you, against a harsh backdrop of increasing cyber threats.

Even still, a handful manage to slip up when it comes to the most basic security measures, putting both their infrastructures and the data security of customers at risk. The following is a list of 11 online retailers who should know better.

11. Costco

CSTAR Score: 599

Costco's CSTAR Score

America's favorite membership-only warehouse club fails in the SSL department, among others. Only the account area of its website is encrypted, and—is that Java Server Pages?

Costco's CSTAR Score - Part 2

And despite getting hacked last year, Costco has yet to address these exploitable flaws in its website perimeter security.

10. Kohls

CSTAR Score: 504

Kohl's CSTAR Score

U.S. department store chain Kohls reported a 30% growth in ecommerce sales during last year's holiday shopping season. Unfortunately, this boost in online sales doesn't translate to increased security: the company's website lacks sitewide SSL encryption and only uses HTTPS for registration/login and account control pages. 

UpGuard also identified the following security gaps in the website:



Kohl's Costco's CSTAR Score - Part 2


Today's shoppers expect a secure, fully-encrypted ecommerce experience. Not fulfilling this basic security requirement 

sends the wrong message to potential customers and enables phishers to carry out impersonation attacks.


9. Walmart

CSTAR Score: 504

Walmart's CSTAR Score

Just last month, a software bug in Walmart's online pharmacy site resulted in the exposure of patient healthcare records. A quick UpGuard web scan reveals several other critical security issues with the retail giant's website:

Walmart's CSTAR Score - Part 2

Once again, lack of sitewide SSL, unsecured cookies, and disabled DNSSEC, among others, are its primary security flaws.

 8. Macy's

CSTAR Score: 456

Macy's CSTAR Score

The largest U.S. department store chain enjoyed online sales growth in the double-digits between November and December 2015, despite reporting lackluster brick-and-mortar holiday sales. This comes out to about 17 million online ordersa 25% bump from the previous year.

Not to burst Macy's' Thanksgiving Day Parade float, but an increase in online sales demands better security—a requirement they've yet to meet. 

Macy's CSTAR Score - Part 2

Similar problems plague the website including lack of sitewide SSL encryption, unsecure cookies, and data leakage issues, among others.

7. Best Buy

CSTAR Score: 456

Best Buy's CSTAR Score

No stranger to security compromises, Best Buy recently experienced a data breach that left a number of customer records exposed back in 2014. And in 2011, the electronics retailer fell victim to a data breachtwicein one month.

Despite these events, has yet to enable SSL sitewide.

Best Buy's CSTAR Score - Part 2

UpGuard's web scanner reveals a host of other website perimeter security flaws. Like many retailers on this list, Best Buy is an ongoing global target for cyber attackers. Reviewing the above makes it easy to understand why.

 6. Lowe's

CSTAR Score: 456

Lowe's CSTAR Score

In case you haven't noticed by now, encryptionor rather lack thereofis a common theme in data breach occurrences. Lowe's certainly has much experience in this regard: its 2014 data breach resulted in the theft of 35,000 employee records. Unfortunately, the home improvement retailer's storage provider failed to encrypt employees' personal data at rest. 

Lowe's CSTAR Score - Part 2

Again, lack of sitewide encryption followed by numerous other website perimeter security flaws make Lowe's a prime target for cyber attackers.

5. Safeway

CSTAR Score: 418

Safeway's CSTAR Score

Perhaps a helping of malware to go with your asparagus and canned beets? has offered online grocery ordering/delivery for years but apparently didn't get the memo regarding proper website encryption. Its interior account and order pages are SSL-enabled, but again—sitewide encryption is necessary to prevent impersonation attacks.

UpGuard's external web scanner also reveals the following security issues, as well as a few other red flags:

Safeway's CSTAR Score - Part 2

Not only does Safeway's website perimeter security have flaws, but it seems to be suffering from a company morale issue as well.

4. Walgreens

CSTAR Score: 418

Walgreen's CSTAR Score

Aside from the usual lack of sitewide-enabled SSL, UpGuard's external web scanner reveals a few other critical security issues with America's largest drugstore chain:

Walgreen's CSTAR Score - Part 2

Walgreens has been at the center of a number of recent data breaches lately, including one involving patient data that will likely carry HIPAA-related penalties.

3. H&M

CSTAR Score: 409

H&M's CSTAR Score

Swedish fashion retailer Hennes & Mauritz (H&M) is reportedly in the middle of an aggressive ecommerce rollout that includes 9 more markets (e.g., Japan, Greece) on top of 

the 23 where it currently has an online presence. Let's hope that some of its security shortcomings are remediated before then. 

Like Kohls, H&M has failed to implement SSL site-wide. 


UpGuard's external web scan uncovered the following security flaws:



H&M's CSTAR Score - Part 2


Again, a non-encrypted ecommerce website sets off alarm bells for shoppers and lays out the green carpet for 

would-be cyber attackers.


2. Sears 

CSTAR Score: 409


You may recall Sears' 2014 SEC announcement that Kmart—one of its largest brands—had fallen victim to a data breach. Apparently any lessons learned were quickly forgotten: two years later, the company's web presence is still lacking sitewide SSL encryption.

Further analysis by UpGuard's external web scanner also reveals the following:


Last year Sears reported net losses of $7.1 billion in its previous four fiscal years. Could a massive data breach be the last nail in the coffin for the struggling retailer? 

1. Target

CSTAR Score: 304

Target's CSTAR Score

Target is arguably the poster child for massive data breaches; sadly, it still has yet to enable SSL sitewide or take action on a number of other critical security issues:


Security researchers have suggested that its infamous 2013 data breach was triggered in part by attackers exploiting an internal web application vulnerability with SQL injection, XSS, or 0-day exploits, subsequently allowing them to gain an internal foothold. Remarkably, some of's security issues detailed above leave it susceptible to similar styled attacks.

In short, when we say "sucking at the internet," we mean not taking basic security measures to protect website visitors and customers against cyber threats. Data breaches may be inevitable, but there's no need to speed things up; survival in today's cyber threat landscape requires both the protection of IT assets that matter the most and the adoption of risk management measures to weather security controls failures. This is what UpGuard and CSTAR are all about—our platform and cyber risk scoring system give organizations the requisite visibility for staying protected and a quantifiable measure of cyber resilience.

Subscribe to data breach notifications ›


Related posts

Learn more about the latest issues in cybersecurity