Staples Breach Impacts 1.1 Million, Adds To Ongoing Retail Lapses
Office supply retailer Staples said Friday that investigators determined cybercriminals impacted the point-of-sale systems at stores in 35 states, stealing an estimated 1.1 million customer debit and credit cards.
The information was released following a disclosure in October, in which the retailer acknowledged that forensics teams were investigating a possible data breach.
Staples said the attackers gained access to transaction data, including cardholder names, payment card numbers, expiration dates and card-verification codes. The retailer said there is no evidence that PIN numbers were accessed during the breach.
Memory-scraping malware infected the payment terminals at 113 stores, exposing data from Aug. 10 through Sept. 16. A store in Jersey City, N.J., and Springfield, Pa., were impacted for about three months, from July to September.
"Upon detection, Staples immediately took action to eradicate the malware in mid-September and to further enhance its security," Staples said in a statement. "Staples also retained outside data security experts to investigate the incident and has worked closely with payment card companies and law enforcement on this matter."
The company said it beefed up security measures, including stronger security software on its point-of-sale systems and the implementation of encrypted terminals.
Staples operates 1,400 U.S. stores. The company provided a list of the store locations that were targeted by the attackers. Staples said it found no evidence that purchases made at the retailer's website were impacted by the breach.
In addition, Staples said it also received reports of fraudulent payment card use related to four New York stores at various times from April through September 2014. The payment terminals at the stores, including its Union Square and Broadway locations, were not infected with malware, the company said.
Staples is offering free credit monitoring, identity theft insurance and a credit report, to customers who used a payment card at any of the affected stores during the relevant time periods.
Data breaches impacted dozens of U.S. retailers in 2014, including retail giant Target Corp., which prompted its CEO and CIO to step down and acknowledged that the breach response cost the company an estimated $148 million.
Other retailers impacted included Home Depot, which reported the theft of 55 million credit and debit cards at its stores in the U.S. and Canada, and Michaels Stores, which said 2.6 million credit cards were exposed. High-profile franchises also were targeted, including 400 Dairy Queen ice cream franchise locations in 46 states and P.F. Chang's China Bistro, which announced a breach impacting 211 of its restaurants.
The high-profile data breaches have caused businesses in nearly every sector to assess their security postures, said Gus Chiarello, a regional sales manager at security solutions reseller and systems integrator The Hergavec Group.
Chiarello said encryption is essential for sensitive data, adding that organizations need to consider how closely they are monitoring systems and employees. Payment data is required to be encrypted under the Payment Card Industry Data Security Standards (PCI-DSS). The data is typically encrypted in transit, but attackers found a weakness at most retailers where the data is temporarily stored in plain text, he said.
"It's been a very difficult year for retailers," Chiarello said. "Thieves are getting smarter and the tools they use are getting more sophisticated."
At the core of many of the retail breaches this year was the use of malware designed to steal payment data while it is temporarily stored in system memory. When a POS system is infected, the malware is triggered every 10 to 15 seconds, recording the data. It is then programmed to upload to a remote server controlled by the credit card thieves.
The attacks against retailers this year were a well-organized and sophisticated operation, said Fengmin Gong, a security expert, and founder and chief architect at security vendor Cyphort. Retailers need to keep point-of-sale systems functioning as stand-alone systems, turning off all other additional functionality, and adding restrictions to limit the applications that can run on them, Fengmin said.
"Every point into and out of that POS system needs to be monitored closely and any exfiltration attempt blocked immediately," Fengmin said. "It's imperative not to create a mixed function system because it makes security much more difficult."
PUBLISHED DEC. 22, 2014