Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/19/2016
09:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Eddie Bauer Reports Intrusion Into Point Of Sale Network

Data belonging to customers who used payment cards at all 370 Eddie Bauer locations in the US, Canada compromised.

Clothing store chain Eddie Bauer has become the latest in a growing list of organizations to suffer a breach of its point-of-sale systems.

The company Thursday announced that unknown intruders had broken into its network and planted malware for capturing payment card data from its POS network. It described the intrusion as sophisticated and directed at multiple retailers, hotels, and restaurants.

The breach has exposed data belonging to an unspecified number of customers who used credit and debit cards to pay for purchases at Eddie Bauer stores between January and July this year. Not all transactions during this period were compromised the company said.

The data that was exposed in the breach included cardholder name, card number, expiration date, and card security codes.

From the retailer’s carefully worded description of the scope of the attack, it appears like all 370 Eddie Bauer stores across the United States and Canada were impacted by the intrusion. Eddie Bauer has said it will pay for one year’s worth of identity protection services for all customers impacted by the breach.

In a statement, Eddie Bauer chief executive officer Mike Egeck said the company is working with the FBI, cyberecurity firms and the credit card associations to mitigate fallout from the intrusion.  

Eddie Bauer is one of several organizations that have reported a breach of their POS systems in recent weeks and months. Earlier this month, HEI Hotels & Resorts, the operator of brands such as the Marriott, Hyatt and Sheraton and Westin disclosed a similar attack involving 20 of its properties.

Like Eddie Bauer, the hotel operator too blamed unknown attackers for planting malware on its POS network for intercepting and stealing credit and debit card data. 

The HEI breach announcement was preceded by another one this time from Oracle, which said attackers had placed malware on a website used to deliver support to customers of its MICROS POS subsidiary. Oracle said the malware was used to capture the usernames and passwords of MICROS’ customers logging into the support site. Some have speculated that the attackers behind the MICROS breach used their foothold on the support site to break into POS systems belonging to the vendor’s many retail and restaurant customers.

The string of breaches has heightened concerns about POS systems becoming a weak link in the US payment system chain even as credit card companies have tried to bolster security by migrating everyone to smartcards based on the Europay Mastercard Visa standard. The migration is widely expected to reduce some types of payment card fraud. For instance, EMV smartcards are expected to make it much harder for criminals to clone payment cards.

But POS systems, the electronic cash registers where people complete their transactions, continue to be vulnerable. In the last few years, attackers have increasingly targeted these systems so they can intercept card data between when a card is swiped or inserted at a payment device and before it is encrypted.

“Retail malware is typically designed to steal clear data in memory from POS applications,” said George Rice, senior director, payments, at HPE Security in a statement. This includes data from the magstripes on the back of cards, EMV card data and other sensitive data. “A POS application in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.”

In a statement, Travis Smith, senior security researcher at Tripwire said retailers should consider putting their POS systems on a segregated network and separate from systems with Internet access. “Locking down this communication will reduce the likelihood that malware will be able to successfully exfiltrate private information to the attacker,” he said.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.