Last week the clothing retailer Eddie Bauer LLC issued a press release to announce that its point of sale (“POS”) system at retail stores was compromised by malware for more than six months earlier this year. The communication provided few details but did specify that the malware allowed attackers to access payment card information related to purchases at Eddie Bauer’s more than 350 locations in the United States, Canada and other international markets from January 2 until July 17, 2016. According to the company, its e-commerce website was not affected.
In an open letter posted online, Eddie Bauer’s CEO Mike Egeck explained that the company had conducted an investigation, involved third party experts and the FBI, and now is in the process of notifying customers and reviewing its IT systems to bolster security. These are customary and important steps following a security breach to mitigate harm to customers, protect against future threats, and comply with state data breach notification laws. Read on to find out more .....Interestingly, Mr. Egeck in his letter described the incident at Eddie Bauer as “part of a sophisticated attack directed at multiple restaurants, hotels, and retailers,” which is likely an allusion to recent security incidents involving POS malware at HEI Hotels & Resorts (think Starwood, Marriott and Sheraton, among other large hotel brands) and Oracle MICROS (who supplies and supports a vast network of retail customers with POS systems). Perhaps this connection is the result of Eddie Bauer’s and the FBI’s investigation or simply an appeal to customers for understanding. Either way, Mr. Egeck is right that Eddie Bauer is merely the latest victim of a booming cybercrime trade.
Which begs the question, why don’t retail/hospitality businesses have a handle on this?
The quick answer is that POS systems are everywhere and vulnerable to attack. Intrusion methods vary but usually exploit the fact that POS terminals are frequently connected to LAN lines and computer terminals where employees also manage e-mail accounts and surf the web. Attacks might also take advantage of other vulnerabilities, such as default log-ins and single-factor authentication. These weaknesses create a foothold for introducing malware that steals payment card information from a POS terminal by leveraging its memory after card swipes (e.g. RAM scraping) or that captures valid controller credentials using old fashioned keylogging techniques. Once thieves get their hands on payment card information, they can then easily encode the stolen data on pretty much any card with a magnetic stripe and use it to make high-end purchases or buy gas during their next warm-weather vacation.
The reality is that these attacks are not particularly sophisticated and security experts emphasize that simple controls and better practices with respect to POS systems can achieve far greater protection for customer data. For example, the following recommendations should be fairly easy to implement and maintain:
- Gatekeeping. Utilize multi-factor authentication for POS credentials and never use default log-ins.
- Segmentation. Separate the POS environment from the company’s other networks and online assets. Minimize or eliminate any visibility the rest of the internet has into the POS system.
- Monitoring. Regularly monitor POS systems for malware and unusual activity. Invest in security technologies and third party forensic analysis if necessary.
According to Juniper Research, the global cost of data breaches could reach $2.1 trillion by 2019, and the average cost of a single data breach in 2020 could exceed $150 million as more business infrastructure becomes connected. These are staggering figures that hopefully will prove to be vastly inflated as retailers, hotels and even small local businesses become increasingly savvy about addressing cybersecurity risks. Square One: the POS system.