Weinswig’s Weekly Nov 23, 2018

Report Download

Key Points

  • This week’s note “From the Desk of Deborah Weinswig” discusses the spate of attacks on retailers and consumers by the hacker group known as Magecart.
  • Walmart has overtaken Apple to become the No. 3 online retailer in the US. While Amazon still leads by a wide margin, accounting for 48% of e-commerce sales in 2018, Walmart is poised to capture 4% of all online retail spending in the US by year-end.
  • British online supermarket and technology firm Ocado is focusing on new expansion possibilities in Europe and in markets such as Japan, South Korea and Australia as it looks to strike deals with established grocers and venture into other categories.
  • American consumer retail company Williams-Sonoma and Reliance Industries subsidiary Reliance Brands recently announced a partnership that aims to bring Williams-Sonoma’s Pottery Barn, Pottery Barn Kids and West Elm brands to India.


Hacker Group Magecart Poses Threat to Retailers and Consumers Alike

Hacker groups operating under the Magecart umbrella have been targeting retailers and consumers. Although not yet a household name, Magecart has been modifying software on e-commerce websites to skim credit card information since 2014. The hackers sell the stolen data on underground marketplaces and the information is then used to fraudulently purchase goods that the credit card owners are then charged for. These incursions reduce consumer trust and damage brands, and retailers that discover them are forced to report them and sometimes pay government fines.

Magecart is a loose association of hackers that attack e-commerce payment mechanisms to skim credit card numbers. They gain entry into e-commerce sites through known vulnerabilities in their servers and then insert code to download consumer credit card numbers and security codes. These hackers often operate undetected for several months, and when they are discovered, they just move on to the next vulnerable website.

Hacked companies include Ticketmaster, British Airways and consumer electronics retailer Newegg. In the case of Ticketmaster, the hackers hit one of its subcontractors, which operates a chatbot on the company’s site, and modified a script. The breach was discovered by Monzo, an online-only bank used by some of Ticketmaster’s customers, but by that time, about 5% of customers were affected, equivalent to about 40,000 people. At British Airways, the hackers gained entry through a vulnerable web page component, gaining access to about 380,000 sets of credit card expiration dates and card verification (CVV) codes over about three weeks. In the Newegg case, the hackers compromised a server and added just 15 lines of JavaScript code, which was enough to enable them to skim the page for a month.

Who’s behind Magecart? Security researchers including RiskIQ have profiled six separate hacker groups, whose techniques range from casting a wide net, to going for high volume, to employing advanced methods, to hiding in plain sight and focusing only on top-tier targets such as British Airways and Newegg.

Once the hackers obtain the data they want, they use underground sellers and markets to sell it to buyers—and there are many shops that specialize in linking buyers and sellers of stolen data. The data buyers recruit mules to use the purloined credit card information to purchase and ship goods to selected destinations. In some cases, the data buyers recruit people needing additional income to receive the stolen goods at their residences. The buyers lie to these unwitting accomplices, telling them that they represent a legitimate logistics company. After a couple of packages have been received, these logistics firms disappear and move on to the next victim.

What should retailers do to protect themselves against hacking by Magecart? The vulnerabilities mainly lie in third-party JavaScript programs, and retailers have incomplete control over these. In addition, these programs have the power to undermine e-commerce protections. At present, the only remedies that exist are mitigation and disruption. RiskIQ advocates sinkholing, or redirecting traffic to the hacker’s server to another server, particularly one operated by law enforcement: the traffic enters, but never leaves, as in a physical sinkhole. The sinkhole can then analyze the traffic to identify the culprit.

While third-party JavaScript programs have been the entry point for Magecart and other malware, there is technology available that controls access and permissions used by these scripts. Moreover, these types of controls are required by new laws such as Europe’s General Data Protection Regulation (GDPR) and California’s Digital Privacy Law. There are several technical approaches that IT teams can adopt to provide the necessary security, including content security policies, subresource integrity (which allows web developers to ensure that resources hosted by third parties have been delivered without any modifications) and sandboxing (separating programs to ensure that if one is negatively impacted, others will not be).

As we head into the busy holiday shopping period, retailers need to be aware of the security risks surrounding third-party script vendors and have measures in place to monitor activity and be able to act swiftly if there is a security breach. For consumers, the best approach is to monitor credit card statements closely and respond quickly to any unauthorized activity.


Source: Company reports/Coresight Research


David’s Bridal Files for Chapter 11 Bankruptcy Protection, Aims to Stay in Business

(November 19) USAToday.com

  • David’s Bridal, the nation’s largest wedding retailer, filed for Chapter 11 bankruptcy protection Monday, but plans to stay in business. The company is saddled with hundreds of millions of dollars in debt from a private-equity buyout several years ago.
  • David’s Bridal assured customers that its bankruptcy would not disrupt their weddings—in part because it secured support from key lenders to stay alive. The company expects to continue operating more than 300 stores and its website.

Walmart Passes Apple to Become the No. 3 Online Retailer in the US

(November 16) TechCrunch.com

  • Walmart has overtaken Apple to become the No. 3 online retailer in the US. While Amazon still leads by a wide margin, accounting for 48% of e-commerce sales in 2018, Walmart is poised to capture 4% of all online retail spending in the US by year-end.
  • The news of the shift in e-commerce rankings comes alongside Walmart’s strong earnings. The retailer reported a 43% increase in online sales and upped its year-end forecast for both earnings and sales.

HanesBrands to Open Fourth US Retail Store, Expand Presence of Champion Brand

(November 16) BizJournals.com

  • HanesBrands is pushing to grow the retail presence of the Champion brand. Earlier this year, the company opened its first three US Champion stores, in Los Angeles, New York and Chicago.
  • Now, the company is further expanding Champion’s retail presence with the opening of a specialty store location in Boston, the brand’s fourth US location. The 2,825-square-foot store will open Saturday on Newbury Street, in Boston’s popular Back Bay retail area.

US Retail Sales Rebound Sharply in October

(November 15) Reuters.com

  • US retail sales rebounded sharply in October as purchases of motor vehicles and building materials surged. Sales were likely driven by rebuilding efforts in areas devastated by Hurricane Florence.
  • The Commerce Department said that retail sales increased by 0.8% last month as households also bought electronics and appliances. Retail sales in October rose by 4.6% from a year ago.

Nordstrom Full-Price Sales Cool as Customers Opt for Discount Aisle

(November 15) FT.com

  • Nordstrom said that full-price sales cooled in the third quarter as consumers shopped in its bargain aisles, helping the company to better-than-expected revenues but leading to a drop in its gross margin. The company said that like-for-like sales rose by 2.3% in the third quarter, in line with forecasts, but that shoppers eschewed full-price merchandise, instead lapping up discounted items.
  • Comps at Nordstrom’s full-price stores rose just 0.4%, down from 4.1% in the second quarter. By comparison, its off-price channels recorded a 5.8% comp increase, up from 4% in the previous quarter. Revenues rose by 3.3% from a year ago, to $3.75 billion, and were ahead of analysts’ estimate of $3.69 billion.


Store fleet numbers are as of the end of fiscal half years.
Source: Company reports/Coresight Research


Carrefour Belgium and Provera Belux Form a Purchasing Alliance

(November 13) Company press release

  • Carrefour Belgium and Provera Belux—the purchasing alliance whose members include Cora, Match and the Louis Delhaize Group in Belgium—have announced a partnership to jointly purchase goods for Belgium and Luxembourg.
  • Carrefour Belgium’s purchasing managers look to enter into negotiations starting January 1, 2019, with 140 main suppliers operating largely in the fast-moving consumer goods and general goods sectors.

WHSmith Enters Hong Kong with a Franchise Deal

(November 16) RetailGazette.co.uk

  • British retailer WHSmith has partnered with Thai travel retail group King Power to build the WHSmith brand and concepts across Hong Kong in order to expand its presence in Asia.
  • WHSmith International Director Louis de Bourgoing said, “We are currently present in six countries in the region: Singapore, Malaysia, Indonesia, Philippines, India and China, with excellent business partners, and we are delighted to welcome King Power Group as a new franchise partner.”

Ocado States Intent to Expand Across Europe, Asia and Australia

(November 15) Reuters.com

  • British online supermarket and technology firm Ocado is focusing on new expansion possibilities in Europe and in markets such as Japan, South Korea and Australia as it looks to strike deals with established grocers and venture into other categories in retail and beyond.
  • Ocado CFO Duncan Tatton-Brown said that the company has separated out a team of 50 employees to focus on future innovations that include finding broader usage for the company’s technology and capabilities.

Four Hema Directors Ousted by New Owners

(November 15) RetailDetail.eu

  • Dutch retailer Hema announced that four of its eight directors will vacate their positions in the next nine months and that they will not be replaced. The board members have been held responsible for poor results, according to sources cited by RetailDetail, as comparable sales have fallen in the past few months.
  • Hema, which is owned by Ramphastos Investments, said that the departure of the directors is a simplification of its structure and that the measures are necessary to operate more effectively.

VOI Technology Raises $50 Million to Expand Across Europe

(November 19) TechCrunch.com

  • Swedish electric scooter startup VOI Technology has raised $50 million in a series A funding round led by Balderton Capital. Vostok New Ventures, LocalGlobe and Raine Ventures were among the firm’s many angel investors.
  • The company plans to expand to Benelux, France, Germany, Italy, Norway and Portugal within the next few months. The startup has a user base of 120,000 and charges €1 to unlock an e-scooter and an additional €0.15 per minute.


Williams-Sonoma and Reliance to Launch Pottery Barn, West Elm in India

(November 15) MarketWatch.com

  • American consumer retail company Williams-Sonoma and Reliance Industries subsidiary Reliance Brands announced a partnership on November 15 that aims to bring Williams-Sonoma’s Pottery Barn, Pottery Barn Kids and West Elm brands to India.
  • The company plans to launch Indian e-commerce websites for the three brands and open stores for each in Mumbai in early 2020.

Alibaba Designates Liège as Its European Logistics Hub

(November 13) RetailDetail.eu

  • Alibaba has chosen the Belgian city of Liège as its first European hub, which will focus on logistics for the region.
  • Although Alibaba does not yet have any physical warehouses or infrastructure in Liège, the first flights between Hangzhou (where Alibaba is headquartered) and Liège began shortly after the November 11 Singles’ Day sales event.

Fung Retailing Increases Its Stake in Toys“R”Us Asia

(November 16) InsideRetail.asia

  • Fung Retailing, the retail arm of the Fung Group, is set to increase its stake in Toys“R”Us Asia from 15% to around 21%, which will make it the largest shareholder of the toy retailer. The remaining stake will be owned by Taj note holders representing a mixture of investment funds and financial institutions that have a stake in the defunct parent company, Toys“R”Us US.
  • The transaction represents a significant step toward separating the Toys“R”Us Asia operation from the rest of the business and the new partnership values the company at $900 million.

China Retail Sales Record Steady Growth in October

(November 16) RetailNews.asia

  • China retail sales registered 8.6% year-over-year growth in October, according to official figures released by the National Bureau of Statistics of China. The growth rate was short of the 9.2% year-over-year growth recorded in September. The statistics bureau attributed the slowing growth rate to delayed consumption ahead of the 11.11 Singles’ Day shopping festival.
  • Rural area sales rose by 9.7% in October, outpacing the 8.4% rise in urban area sales. Online spending grew by 25.5%, to ¥7 trillion ($1 trillion), during the first 10 months of this year.

Tencent Holdings to Join Chinese Investment Group to Acquire Amer

(November 14) Bloomberg.com

  • Internet conglomerate Tencent is reportedly close to joining a Chinese investment group that is bidding to acquire Finnish sporting goods firm Amer Sports.
  • The consortium, led by Anta Sports Products, would see Tencent involved as one of a few minority investors under the proposal. In September, Anta said that it was combining with local buyout company FountainVest Partners to offer a potential €40 ($45.60) per share for Amer, valuing the target at around €4.7 billion ($5.3 billion).


Farmacias Ahumada to Close 50 Stores

(November 16) America-Retail.com

  • Chilean pharmacy chain Farmacias Ahumada, which is owned by Walgreens Boots Alliance, will close around 50 of its 424 stores as part of its announced restructuring plan.
  • The company said in a statement that the restructuring process is aimed at increasing its profitability and enabling it to focus on its core business—health, beauty and wellness—in all possible marketing channels.

Falabella to Offer All Its Products on E-Commerce Platform Linio

(November 16) Modaes.com

  • Chile-based department store chain Falabella will offer all products from its department stores as well as its home improvement warehouse chain, Sodimac, on the Linio e-commerce platform, which it acquired last August.
  • The products will be available on the online platform beginning in the first quarter of 2019. Falabella will also sell Chinese electronic products on Linio in order to promote them on an international scale.

Walmex Increases Product Offerings for El Buen Fin 2018

(November 16) America-Retail.com

  • For this year’s El Buen Fin, Mexico’s annual shopping festival, which ran November 16–19, Walmex offered more than 2 million products through its stores, which include Bodega Aurrerá and Sam’s Club, its websites and its mobile applications.
  • The expanded product offerings included around 430,000 screens, 150,000 computers and tablets, 175,000 cell phones, and 60,000 consoles.

Éxito Opens a New Store in Bogotá, Colombia

(November 16) Company press release

  • Colombian retail company Éxito opened a new, 34,000-square-foot store on November 17 in the Gran Plaza el Ensueño shopping center in Bogotá, Colombia.
  • The new supermarket offers fruits and vegetables, meats, electronic appliances, and home products along with a freshly prepared foods section with a bakery and kitchen. Grupo Éxito’s digital catalog, Puntos Éxito, is also available in the store, to enable shoppers to purchase products that are not stocked on-site.

Brazilian Startup iFood Raises $500 Million in Funding

(November 16) LatamList.com

  • Food delivery app iFood received $500 million in funding from investors Naspers, Innova Capital and Movile, in what the company claims is the largest funding round for a tech startup in Latin America.
  • Fabricio Bloisi, founder and CEO of iFood’s parent company, Movile, told Forbes, “In order to keep growing exponentially like we have done, we have to invest like companies in the US and China do—and that’s what we will do over the next 14 months.”


Key points from global macro indicators released November 14–19, 2018:

  • US: US industrial output grew by 0.1% month over month in October, following a 0.2% advance in September and missing market expectations of a 0.2% gain. US inflation increased by 2.5% year over year in October, above the 2.3% rise in September and in line with market expectations.
  • Europe: The year-over-year inflation rate in the eurozone increased to 2.2% in October from 2.1% in September. The eurozone trade surplus came in at €13.1 billion in September, compared with €12.0 billion in August.
  • Asia-Pacific: The unemployment rate in Hong Kong stood at 2.8% for the three months ended October, while remaining the lowest jobless rate since January 1998. Japan recorded a trade deficit of ¥449 billion in October, compared with a ¥131 billion surplus in September and missing market expectations of a ¥70 billion deficit.
  • Latin America: Colombia’s GDP advanced by 2.7% year over year in the third quarter, compared with 2.8% growth in the second quarter and in line with the consensus estimate. The Consumer Price Index (CPI) for Argentina increased by 5.4% month over month in October, compared with a 6.5% surge in September.
*Coresight Research’s evaluation of the actual figure’s impact on the economy relative to historical benchmarks and the current macroeconomic environment: + indicates a positive signal for the country’s economy, – indicates a negative signal and = indicates a negligible or mixed impact.
Source: US Federal Reserve/US Bureau of Labor Statistics/US Census Bureau/US Department of Labor/Eurostat/Office for National Statistics (UK)/Destatis (Germany)/INSEE (France)/Census and Statistics Department (Hong Kong)/Ministry of Finance Japan/Australian Bureau of Statistics/DANE(Colombia)/El Instituto Nacional de Estadística y Censos (Argentina)/Coresight Research

Report Download