It’s been a rough few years for retailers of every size as they continue the struggle against hacking events and data breaches. The estimate for 2015 breaches was that every compromised customer or employee record cost the business an average of $154US. In one study of over 350 companies who’d suffered a data breach in that year, researchers found the average total cost per company to be $3.9 million.

credit card phishing

One of the first major breaches to affect tens of millions of consumers and grab headlines around the world was the 2013 Black Friday breach of Target. The retailer’s point-of-sale credit card machines had been infected with software that gave hackers the credit card data of everyone who “swiped” at the register. The malicious software was later found to have been sent to one of Target’s third-party vendors in a phishing email.

That kind of mechanism for getting the software to its intended location has become a major focus for IT security experts. There’s a lot of work involved in pinpointing the path of destruction, but new evidence has come out that might shed a light on why data breaches are happening in record numbers.

RSA Research Group published its findings in 2014 that indicated some of the technological statuses of companies who’d suffered breaches. Using that research, Rotem Kerner has now been able to point the finger at more than seventy different surveillance camera companies who have vulnerabilities–especially to the famous Backoff malware–in its software.

“The software, named ‘Cross Web Server,’ proved to be for CCTV DVR (digital video recorder) equipment, which is widely used by retailers for physical monitoring,” explained Jeremy Kirk of IDG News Service. “But the server software was left running and open to the Internet, which is a potential security risk.

Kerner’s research led him to the Shodan search engine, which is well-known for exposing IoT devices and wifi networks that are unsecured. He found more than 30,000 systems running an open and vulnerable security camera. Sadly, with the limited budgets allotted to corporate security, a number of companies are lucky to even have surveillance cameras, let alone the sophisticated team to oversee their security and implement patches as the need arises.