2014: the year of retailers getting hacked over and over again

2014 was marked by a streak of major cyberattacks on large retailers in the US. In most cases, PoS malware was at play. Now retailers are scrambling to improve their Point-of-Sale terminal security. It’s encouraging, but a pity that it took so long.

2014 is almost over, and it’s definitely a historic year in regards to cybersecurity. This is due, in part, to a streak of cyberattacks against major retailers in the US. Most of these ended with massive breaches and leaks of personal and payment data.

Retailers became targets for complex cyberattacks some time ago (see last years’ post on it), yet it was last year’s Target Corporation breach that drew special attention. With over 11 GB of data stolen and about 110 million customers affected, it quickly made its way onto the short list of the largest data breaches in history.

The attackers used the BlackPOS Point-of-Sale malware to attack vulnerable payment terminals without point-to-point encryption.

The incident cost Target dearly. Its CIO and CEO stepped down, it had to appease angry customers and authorities, and their profits were heavily affected.

Target wasn’t alone, though that barely brings any solace. Throughout 2014 several other gross retail chains reported they were under attack.

These included:

Neiman Marcus. The actual breach took place between July and October 2013, but it was only disclosed in January 2014. Initially it was reported that at least 2,400 Visa, MasterCard and Discover cards were affected. Later it was revealed that data belonging to 1.1 million people was compromised.

Michaels Stores, Inc., the large craft and home goods retailer, said in late January that it had been investigating a potential data breach that affected an unknown number of cards used in the chain’s stores in the last few weeks.

It wasn’t the first incident of this kind for Michaels: In early 2011 its debit card terminals were attacked in 20 states. This led to a class action suit from the affected customers.

Eventually it was reported that the payment cards of 2.6-3 million Michaels customers were affected between May 2013 and January 2014. Also affected was its subsidiary – Aaron Brothers, with data on roughly 400,000 customers changing hands.

Sally Beauty Supply said in March that it had been the victim of a successful cyberattack with the criminals making off with “fewer than 25,000 records containing card-present (track 2) payment card data”

Albertsons and SUPERVALU grocery chains announced in mid-August that a data breach may have exposed the credit and debit card information of an unknown number of its customers at various grocery store locations in more than 18 states. The attack was active roughly between June 22 and July 17.

– UPS announced a few days after that 51 of its stores suffered a “broad-based malware intrusion” earlier this spring. The company said unnamed malware avoided detection from “current antivirus software,” and it was discovered only after a third-party security firm was brought in for an inspection.

Goodwill Industries. C&K Systems reported in September that Goodwill and two other unnamed retailers were subjects of attacks that lasted for 18 months (Feb.1, 2013 through Aug. 14, 2014). The Infostealer.rawpos Trojan was used to extract credit card data.

Home Depot was compromised, with the credit card information for roughly 56 million shoppers in Home Depot’s 2,000 U.S. and Canadian outlets stolen. 53 million email addresses were stolen as well. The notorious Backoff PoS malware is the main culprit. In November, Home Depot revealed that the incident cost them $43 million.

– Dairy Queen said in October that it was also hit with Backoff, with 395 of its 4,500 locations affected. Customer’s names and credit card numbers with their expiration dates were acquired, although the exact scope of the leak isn’t known.

“The company has no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, was compromised as a result of this malware infection,” the company said in a statement.

– Kmart acknowledged in mid-October that it fell victim to a “payment security incident” for most of September and some of October”. The company said payment data systems were infected with an unspecified “new form of malware” that avoided detection from antivirus software. The company didn’t disclose how many customers were affected.

A few days after Kmart reported their breach, First NBC Bank filed a federal class action suit against the company, saying that Kmart’s failure to protect customer information with “elementary” security measures left banks liable for the resulting fraud.

– Staples office supply chain reported investigating a potential issue involving credit card data. In November, Staples confirmed a PoS malware was at play. Otherwise, it remained tight-lipped on the number of possibly affected customers.

– Bebe said in early December that it was under attack between November 8, 2014 and November 26, 2014. Only the stores located in the U.S., Puerto Rico, and the U.S. Virgin Islands were affected. The scope of the attack and the tools used are unknown.

 

wide-2

In most cases it was PoS malware that led to the data breaches. It’s not a new type of a threat, but this year’s “stars” – BlackPOS/Kaptoxa and Backoff – showed the level of vulnerability and the sorry state of payment terminals security in the companies who process payment data from thousands of people daily. Apparently some of the victims did indeed fail to implement even basic security measures, such as antimalware software for the payment terminals, most of which are Microsoft Windows-based machines.

With the total number of victims towering beyond hundreds of millions, this issue is a hot topic.

In their analysis (available on Securelist) Kaspersky Lab’s Costin Raiu, Ryan Naraine and Roel Schouwenberg show that the problem is rather technical. “It’s very clear that PoS networks are prime targets for malware attacks”, they wrote. “This is especially true in the US, which still doesn’t support EMV chip-enabled cards. Unlike magnetic strips, EMV chips on credit cards can’t be easily cloned, making them more resilient. Unfortunately, the US is adopting chip and signature, rather than chip and PIN. This effectively negates some of the added security EMV can bring”.

However, at least some of the victims have learned their lesson. Back in April, Target revealed it was accelerating plans to set up a full chip-and-pin system for its branded credit and debit cards. The company also plans to have terminals capable of accepting chip-and-pin cards in all of its stores by September.

In November, Target said they would roll out their own new chip-and-pin cards “starting early next year”. The company’s REDcard replacement came at a cost of more than 100 million dollars, which might be a good explanation why retailers didn’t adopt chip-and-pin cards earlier.

At the end of November eWeek reported that Chip-and-Pin cards were “finally winning acceptance in the retail sector” in the US, which is definitely encouraging news. Too bad it took so long and so many people were already affected.

Tips