According to investigative reporter Brian Krebs, at least half a dozen banks recently identified a pattern of credit and debit card fraud suggesting that several Staples locations in the northeastern U.S. may have been infected with point-of-sale (PoS) malware.
Potentially affected locations include seven in Pennsylvania, at least three in New York City, and one in New Jersey.
Staples senior public relations manager Mark Cautela told Krebs the company is investigating a “potential issue involving credit card data and has contacted law enforcement,” and said, “We take the protection of consumer information very seriously, and are working to resolve the situation.”
Tripwire security researcher Craig Young told eSecurity Planet by email that the limited scope of the Staples breach may indicate that it involved more of a physical attack element than other recent high-profile breaches. “It is possible that attackers found a way to compromise stores in person via Wi-Fi or perhaps exposed USB or Ethernet ports,” he said.
“At this point, however, not enough is known to attribute the attack vector,” Young added. “For all we know, the breach could have affected all stores with only a portion of the card data being sold initially.”
And Tripwire director of IT risk and security strategy Tim Erlin said it’s not a good sign that the breach was discovered by banks, not by Staples itself. “The identification of breaches through fraudulent activity is like finding out your house was burglarized by seeing your TV in the pawn shop window,” he said.
“As an industry, we have to do better and get ahead of the attackers,” Erlin added. “Retailers especially need to take the necessary steps to identify breaches and malware in their environments.”
In August 2014, the U.S. Department of Homeland Security issued an advisory warning that more than 1,000 American business had already been infected with the Backoff PoS malware. “DHS strongly recommends actively contacting your IT team, antivirus vendor, managed service provider, and/or point of sale system vendor to assess whether your assets may be vulnerable and/or compromised,” the advisory stated.
“Enterprises are now coming to a conclusion that they are either already compromised, or will soon be,” Seculert CTO Aviv Raff told eSecurity Planet by email. “It’s not a matter of ‘if,’ it’s a matter of ‘when.’ The breach shows the necessity of moving from trying to prevent an attack to try and detect and respond as quickly as possible.”
A recent eSecurity Planet article offered advice on how to respond to a data breach, from determining the scope of the damage to consulting with data privacy counsel.