Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/19/2016
09:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Eddie Bauer Reports Intrusion Into Point Of Sale Network

Data belonging to customers who used payment cards at all 370 Eddie Bauer locations in the US, Canada compromised.

Clothing store chain Eddie Bauer has become the latest in a growing list of organizations to suffer a breach of its point-of-sale systems.

The company Thursday announced that unknown intruders had broken into its network and planted malware for capturing payment card data from its POS network. It described the intrusion as sophisticated and directed at multiple retailers, hotels, and restaurants.

The breach has exposed data belonging to an unspecified number of customers who used credit and debit cards to pay for purchases at Eddie Bauer stores between January and July this year. Not all transactions during this period were compromised the company said.

The data that was exposed in the breach included cardholder name, card number, expiration date, and card security codes.

From the retailer’s carefully worded description of the scope of the attack, it appears like all 370 Eddie Bauer stores across the United States and Canada were impacted by the intrusion. Eddie Bauer has said it will pay for one year’s worth of identity protection services for all customers impacted by the breach.

In a statement, Eddie Bauer chief executive officer Mike Egeck said the company is working with the FBI, cyberecurity firms and the credit card associations to mitigate fallout from the intrusion.  

Eddie Bauer is one of several organizations that have reported a breach of their POS systems in recent weeks and months. Earlier this month, HEI Hotels & Resorts, the operator of brands such as the Marriott, Hyatt and Sheraton and Westin disclosed a similar attack involving 20 of its properties.

Like Eddie Bauer, the hotel operator too blamed unknown attackers for planting malware on its POS network for intercepting and stealing credit and debit card data. 

The HEI breach announcement was preceded by another one this time from Oracle, which said attackers had placed malware on a website used to deliver support to customers of its MICROS POS subsidiary. Oracle said the malware was used to capture the usernames and passwords of MICROS’ customers logging into the support site. Some have speculated that the attackers behind the MICROS breach used their foothold on the support site to break into POS systems belonging to the vendor’s many retail and restaurant customers.

The string of breaches has heightened concerns about POS systems becoming a weak link in the US payment system chain even as credit card companies have tried to bolster security by migrating everyone to smartcards based on the Europay Mastercard Visa standard. The migration is widely expected to reduce some types of payment card fraud. For instance, EMV smartcards are expected to make it much harder for criminals to clone payment cards.

But POS systems, the electronic cash registers where people complete their transactions, continue to be vulnerable. In the last few years, attackers have increasingly targeted these systems so they can intercept card data between when a card is swiped or inserted at a payment device and before it is encrypted.

“Retail malware is typically designed to steal clear data in memory from POS applications,” said George Rice, senior director, payments, at HPE Security in a statement. This includes data from the magstripes on the back of cards, EMV card data and other sensitive data. “A POS application in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.”

In a statement, Travis Smith, senior security researcher at Tripwire said retailers should consider putting their POS systems on a segregated network and separate from systems with Internet access. “Locking down this communication will reduce the likelihood that malware will be able to successfully exfiltrate private information to the attacker,” he said.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5613
PUBLISHED: 2020-02-18
In FreeBSD 12.0-RELEASE before 12.0-RELEASE-p13, a missing check in the ipsec packet processor allows reinjection of an old packet to be accepted by the ipsec endpoint. Depending on the higher-level protocol in use over ipsec, this could allow an action to be repeated.
CVE-2020-7450
PUBLISHED: 2020-02-18
In FreeBSD 12.1-STABLE before r357213, 12.1-RELEASE before 12.1-RELEASE-p2, 12.0-RELEASE before 12.0-RELEASE-p13, 11.3-STABLE before r357214, and 11.3-RELEASE before 11.3-RELEASE-p6, URL handling in libfetch with URLs containing username and/or password components is vulnerable to a heap buffer over...
CVE-2019-10792
PUBLISHED: 2020-02-18
bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
CVE-2019-10793
PUBLISHED: 2020-02-18
dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
CVE-2019-10794
PUBLISHED: 2020-02-18
All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.