Three retailers were recently hit by data breaches that exposed significant amounts of customer and employee data, including names, email addresses, delivery addresses, phone numbers, credit card data and tax information.
Grocery retailer Kroger recently began notifying all current and some former employees (more than 431,000 people) that their W-2 tax information may have been accessed via Equifax’s W-2 eXpress website, KrebsOnSecurity reports.
“It appears that unknown individuals have accessed the W-2 eXpress website using default log-in information based on Social Security numbers (SSN) and dates of birth, which we believe were obtained from some other source, such as a prior data breach at other institutions,” Kroger stated in a FAQ provided to employees. “We have no indication that Kroger’s systems have been compromised.”
According to the company, some fraudulent tax returns seeking refunds may have been filed by the attackers, though Kroger is still working to determine which employees’ information was accessed.
Approximately 150 Northwestern University employees and at least 600 Stanford University employees and were also recently impacted by similar attacks on Equifax’s W-2 eXpress portal.
“The information in question was accessed by unauthorized individuals who were able to gain access by using users’ personally identifiable information,” Equifax spokesperson Dianne Bernez said in a statement provided to KrebsOnSecurity. “We have no reason to believe the personally identifiable information was attained through Equifax systems.”
Separately, online retailer Kiddicare recently acknowledged that 794,000 customers’ names, email addresses, delivery addresses and phone numbers may have been accessed from a test version of its website that was created in November 2015.
The breach was discovered when some customers began receiving phishing messages asking them to take an online survey.
In response, Kiddicare notified the UK Information Commissioner’s Office, deleted the test site, and reset all customer passwords, according to an online FAQ (PDF).
“We want to reassure everyone that the problem has been fixed, increased security measures have been implemented and we have a dedicated team … here to help with any further concerns,” the company told BBC News.
And in reporting its first quarter 2016 results on May 11, Wendy’s announced that “malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015.”
“Based upon the investigation to date, approximately 50 franchise restaurants are suspected of experiencing, or have been found to have, unrelated cybersecurity issues,” Wendy’s added. “The company and affected franchisees are working to verify and resolve these issues.”
According to the results of a recent survey of 200 IT professionals in the retail sector, the number of retail data breaches involving personally identifiable information (PII) has more than doubled since 2014 — 33 percent of respondents in 2016 said a data breach at their organization had exposed PII, compared to 14 percent of respondents to a similar survey in 2014.
The survey, conducted by Dimensional Research for Tripwire, also found that 59 percent of respondents said their breach detection solutions were only partially or marginally implemented.
“Unfortunately, these results indicate that we can expect retail breach activity to continue in the future,” Tripwire director of IT security and risk strategy Tim Erlin said in a statement.
A recent eSecurity Planet article examined the challenge of securing corporate data in a post-perimeter world.