tashka2000 - Fotolia
Data breaches have come to light at US department store chains Saks Fifth Avenue, Saks Off Fifth, Lord & Taylor and bakery-style café chain Panera Bread in the past two days.
On Easter Sunday, Hudson’s Bay, the parent company of the three department store chains, confirmed that a breach of its payment system had compromised the personal details of customers.
The company did not say how many customers are affected, but Hudson’s said there was no indication that the breach affected its online shopping websites or other brands such as Hudson’s Bay stores in Canada.
The confirmation came after a New York-based security firm Gemini Advisory reported that a cyber criminal group known as JokerStash or Fin7 had stolen five million payment card details belonging to customers of the three department store chains, with 125,000 already available for sale on the dark web.
According to Gemini Advisory, there is evidence that the initial breach took place about a year ago, which means the criminal group responsible has had unfettered access to customer data for months.
The cyber criminal group has been linked to breaches at major hotel and restaurant chains, and is said to use phishing emails targeted at managers, supervisors and other key decision-makers to trick them into opening attachments that launch malware that enables the compromise.
The breach emphasises the importance of a transition to the more secure EMV point of sale terminals in retail operations, said the Gemini Analysis report. “Although many large retailers managed to migrate entirely from older generation magstripe terminals to EMV in 2017, several nationwide chains still have not done so,” the report said.
The theft of five million payment cards, the report said, is undoubtedly among the most significant credit card heists in modern history, and will negatively affect a large number of consumers in North America.
However, the report also noted that in recent years, US and Canadian banks have advanced their fraud detection capabilities tremendously, which will allow them to minimise the impact of the breach on their customers.
Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said that much like automatic banking machines (ATMs), point of sales terminals can be an overlooked area of payment infrastructure.
“POS systems are just computers running operating systems that may be vulnerable to exploitation if they are not regularly maintained and updated. If an attacker is able to gain access to a single POS on the network, it is often possible to infect the entire network of terminals,” she said.
Panera Bread ‘dismissed’ alerts
On Easter Monday, security blogger Brian Krebs revealed that the Panerabread.com website has leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months.
The company was alerted to the fact that the personal data of anyone who had signed up for an account on Panerabread.com was available in plain text by security expert Dylan Houlihan in August 2017, but Panera Bread’s director of information security Mike Gustavison first dismissed his report as a likely scam, and then after a week of persistent messages from Houlihan, Gustavison said Panera Bread was “working on a resolution”.
But when the company had failed to take action to fix the problem for eight months, Houlihan said he set up a Pastebin page describing the vulnerability and reported the issue to Krebs, who reported that the site was still leaking customer records in plain text.
“Worse still, the records could be indexed and crawled by automated tools with very little effort,” he wrote in his KrebsOnSecurity blog post. Krebs also reported that after he spoke to Panera’s chief information officer John Meister by phone, the company briefly took the website offline.
According to Krebs, the site was later put online, but the customer data no longer appears to be reachable. The company issued a statement that the problem had been fixed within two hours of being contacted by Krebs, but did not explain why it had done nothing in the eight months after being notified of the problem by Houlihan.
Leaked customer records likely to exceed 37 million
The statement said the company’s investigation is continuing, but claimed that there was no evidence of payment card information nor a large number of records being accessed or retrieved.
Although it is not clear how many Panera customer records may have been exposed by the company’s leaky website, Krebs said the customer numbers indexed by the site suggest that number may be higher than seven million.
In response to the report by Krebs, Panera issued another statement downplaying the severity of the breach, stating that only 10,000 customer records were exposed.
However, in an update to his original story, Krebs said investigations by Hold Security show that this breach may be far larger than the seven million customer records, and that vulnerabilities also appear to have extended to Panera’s commercial division, which serves countless catering companies.
“At last count, the number of customer records exposed in this breach appears to exceed 37 million,” said Krebs. At the time of writing, the Panerabread.com website was once again offline.
Different name, same story
Commenting on the Panera Bread breach, Lisa Baergen, a director at NuData Security, a Mastercard Company said the company names change, but the stories remain the same.
“Once again, customers have had their information leaked because of the poor security procedures of companies transacting online, who continue to rely solely on plain text identifiers and static data such as credit card numbers, passwords and even simple customer names and phone numbers,” she said.
According to Baergen, proven and effective ways for protecting customer are readily available and increasingly widely implemented.
“These are multi-layered security solutions that incorporate verification via passive biometrics, without adding friction, by evaluating a consumer’s inherent behaviour online during the transaction process.
“This field-proven approach lets the company confirm that a consumer is legitimate or a would-be fraudster before loss to the company can occur, even if the correct data – perhaps stolen – was used,” she said.
This approach also avoids a company’s reliance on the sort of personally identifiable customer data that has once again been leaked, according to Baergen.
“Ultimately, the shift to more advanced multi-layered solutions will, over time, render stolen information valueless to cyber criminals, as passive biometric verification defies use by third parties,” she said.