Online Retailers Face New Threat This Holiday Shopping Season


As the days grow shorter and the nights grow cooler, that can only mean one thing: holiday shopping season is upon us. Last year, in the months of November and December alone, Americans spent $46.5 billion shopping online. But, in the season of peace, love, and harmony, e-commerce platforms, the engines that power both online and in-store shopping, are at war. Whether it is a system outage, data breach, or sluggish website, a single incident can mean massive revenue losses, and send stock prices plummeting.

CAST-new-threat-to-retail-hackingSo, who is winning? Is it the industrious, yet, sometimes unprepared retailers? Or the elusive software defects exploited by hackers that plague large enterprise systems?

Like any modern warfare, it is hard to definitively declare victory. The best approach is to examine some indicators.


The speed with which a shopper can select and purchase their holiday presents on a website is the first of our indicators. In a report called “State of the Union: Ecommerce Page Speed & Web Performance, Winter 2014,” Radware states that the top 500 retail websites are 21% slower than last year. While compressing media and optimizing bandwidth are great methods to a speedier shopping experience, retailers must also look to the underlying structure of their software. Inefficiently constructed application systems are just as likely to leave shopping carts empty as oversized images.

Like Santa’s elves, developers are pressured to release new features in time for the holiday season. Often, that means taking short cuts at the expense of performance. Not only does slow performance detract shoppers -- resulting in the loss of revenue this season -- it also projects a long-term image that lacks sophistication to the consumer.


The second indicator is how well an e-commerce platform can handle unexpected events -- events such as errors or a surge in traffic. The recent Apple website crash after their iPhone 6 announcement was a wakeup call for many retailers. But this is not isolated to demand surges. Marks & Spencer’s new website -- designed to improve its customers’ shopping experience -- crashed in early 2014, leaving angry backlash on social media.

While modern websites look beautiful and feel seamless, they are interacting with applications behind the scenes that may have been developed over two or three decades ago. This collaboration of the new and old is necessary, but, if not done in the right way, can cause catastrophic failures that cannot be solved by firing up a new piece of hardware.

Website crashes clearly mean lost revenue (millions per minute), but also gives the impression that a retailer is unprepared to handle its eager customers.


The last, but certainly not least, of the indicators is how well a retailer protects its customers’ data. According to Bloomberg, there were more than 300 data breaches in which over 100,000 records were stolen since 2005. And, it appears retailers are the most susceptible. Just to name a few:

  • TJX, 2007, 100 million records
  • Sony PSN, 2011, 12 million records
  • Living Social, 2013, 50 million records
  • Target, 2013, 110 million records
  • eBay, 2014, 145 million records
  • Home Depot, 2014, 56 million records

Scarily enough, frequency of data breaches is on the rise. This is the new normal for retailers. Increasingly informed consumers don’t only look for a fluid shopping experience, but also a company that has proven they know how to secure both their online and in-store customer information.

The impacts of a data breach spreads beyond the retailer’s business, quickly into the safety of the general public. Many retailers wait before taking action, or making the breach public for fear of causing panic among their customers. Ultimately, those who wait give the perception of a cover up, losing serious credibility and brand equity with current and potential customers.

Security defects like Heartbleed and other zero-day attacks are extremely hard to detect because they reside between layers and components of an application. For the uninitiated, a zero-day attack is a hack that exploits a vulnerability in an application that developers are either unaware of or not had time to patch. Often, when the security problem is discovered, and a patch issued, it has already been exploited.


So, how can retailers win in this virtually invisible war, and deliver speedy, frustration-free online shopping this holiday season? They have to find performance, robustness, and security defects early and often. Proactive measurement of structural quality defects and code quality analytics can help developers and e-commerce directors spot vulnerabilities before the applications are released into production. Identifying and fixing software defects before they become problems ensures that stories traded around the fruit cake are not dominated by bad shopping experiences.

While retailers toil away executing their physical supply chain, are they paying attention to their information and electronic supply chains? Are Russian hackers treated as the same level of threat as Chinese bootleggers?

Who is winning this war? You be the judge.

John Chang
John Chang
John Chang has helped Fortune 2000 companies leverage CAST’s solutions to reduce system-level defects and improve application development outcome success.
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item