America's Thrift Stores has announced that it was recently the victim of a "data security breach that occurred through software used by a third-party service provider."
The for-profit company, which donates a portion of its profits to Christian ministries, has 18 stores in Alabama, Georgia, Louisiana, Mississippi and Tennessee.
According to company CEO Kenneth Sobaski, hackers from Eastern Europe leveraged malware to access some customers' payment card numbers and expiration dates, though the company believes no customer names, phone numbers, mailing addresses or email addresses were accessed.
Customers who used their credit or debit cards to make a purchase at an America's Thrift Store location between September 1, 2015 and September 27, 2015 may be affected.
"Though we and our service providers maintain rigorous IT security standards, malware entered our network through the software of one of our service provider’s systems," the company stated in a FAQ. "This virus/malware, is one of several infecting retailers across North America."
"As soon as we learned of this issue, we began working with the U.S. Secret Service and Sikich, an independent forensic investigator accredited by the Payment Card Industry Security Standards Council," the company added. "These experts analyzed the data breach, conducted a thorough forensic review and worked to both stop the attack and remove the malware. Now, we are collaborating with them to even further improve security against future attacks."
Customers with questions are advised to contact the company at 866-837-2071.
Tripwire senior security analyst Ken Westin told eSecurity Planet by email that retail breaches like this will inevitably continue to occur. "Unfortunately, even though retailers have started the transition to EMV and are implementing stricter security standards, we will continue to see credit card breaches for quite some time," he said. "In many cases the vulnerabilities that criminal hackers are targeting are baked into the payment infrastructure, and that means it [will] take considerable resources to migrate to more secure solutions."
"Many retailers need to implement completely new hardware to support EMV, so it might be a good time to reevaluate their security payment systems as a whole," Westin added. "This is especially relevant given the new threats we have seen targeting weaknesses in payment systems. The implementation of point-to-point encryption and stronger security controls on point-of-sale endpoints are just a two examples of things retailers can do right now to protect their customers."
And Mark Bower, global director of product management at HP Data Security, said the breach is yet another reminder of the need for companies to protect all customer information. "Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line," he said. "Particularly with the transition to EMV, a data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks."
"Proven methods are available to neutralize this data from breaches," Bower added. "Leading retailers have adopted data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a 'business as usual' matter for any organization handling card payment data."
"With the available technologies today to protect sensitive data very easily and quickly, it’s a simple matter to cover all your bases to protect consumer trust and satisfaction," Bower said.
A recent eSecurity Planet article offered advice on improving point-of-sale security.
Photo courtesy of Shutterstock.