Eddie Bauer recently announced that the point-of-sale systems at all of its retail stores in the U.S. and Canada were infected with malware that provided attackers with access to payment card information.
The names, card numbers, security codes and expiration dates of anyone who made purchases at an Eddie Bauer store between January 2, 2016 and July 17, 2016 may have been accessed. Online purchases were not affected.
“We have been working closely with the FBI, cyber security experts, and payment card organizations, and want to assure our customers that we have fully identified and contained the incident and that no customers will be responsible for any fraudulent charges to their accounts,” Eddie Bauer CEO Mike Egeck said in a statement. “In addition, we’ve taken steps to strengthen the security of our point of sale systems to prevent this from happening in the future.”
All those potentially affected are being offered one year of free access to identity protection services from Kroll.
“Unfortunately, malware intrusions like this are all too common in the world that we live in today,” Egeck stated in an open letter to customers. “In fact, we learned that the malware found on our systems was part of a sophisticated attack directed at multiple restaurants, hotels, and retailers, including Eddie Bauer.”
Travis Smith, senior security researcher at Tripwire, told eSecurity Planet by email that it’s crucial for retailers to place any point-of-sale machine on a segregated network from any other machines with locked down Internet access. “These machines typically have a handful of Internet locations required to process credit card data, if they require any at all,” he said. “Locking down this communication will reduce the likelihood that malware will be able to successfully exfiltrate private information to the attacker.”
Still, Smith acknowledged that doing so may be a challenge.. “For retail establishments which have one or two point of sale terminals in each store, it didn’t make sense three or four years ago to implement a second costly network segment for one or two devices,” he said. “Migrating to a segregated network may require hundreds of thousands of dollars in equipment and network redesigns, something retailers may not have an appetite for in today’s competitive marketplace.”
And RiskVision CEO Joe Fantuzzi said by email that attacks targeting vulnerable point-of-sale systems aren’t likely to end soon. “What’s more, these ongoing attacks against retailers, hoteliers and food chains indicate that it’s likely that there are many more businesses that leverage PoS systems that have been attacked but don’t yet know it because of a lack of insight into their risk and security posture,” he said.
“These attacks underscore that it’s imperative for organizations — especially those that rely on third party PoS systems – to gain visibility into their risk environment, and identify the most serious and glaring vulnerabilities that open the door for exploitation by cyber criminals,” Fantuzzi added. “Addressing these easy threat vectors early on will save these organizations a lot of pain down the road.”
A recent eSecurity Planet article suggested five best practices for reducing third-party security risks.