Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/21/2014
12:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Several Staples Stores Suffer Data Breach

Attack appears smaller in scope but similar to incidents reported by several other major retailers this year.

Staples has joined the rapidly growing list of major retailers that have suffered a data breach this year.

Multiple banks say they have identified a pattern of fraud associated with credit and debit cards that were used at several Staples locations in the Northeast US recently, according to a report by KrebsOnSecurity.

Unlike many of the other major data breaches disclosed recently, the Staples breach appears to have affected only a relatively small subset of the retailer’s 1,800 store-locations countrywide.

Initial data suggests that seven Staples stores in Pennsylvania, three in New York City, and one store in New Jersey appear to have been affected, unnamed bank sources said in the report. There is no information so far on how many cards might have been compromised or if the breach affected other stores as well.

The fraudulent charges have all occurred at non-Staples locations. The pattern of use suggests that the attackers managed to steal card data from cash registers at the affected Staples locations and then used the data to make counterfeit cards.

A Staples spokesman says the company is in the process of investigating a potential issue involving credit card data. “We take the protection of customer information very seriously, and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis,” he said in a press release.

Though the Staples breach appears to be relatively small, at least based on available information, it is similar in nature to several others that have been reported recently.

Over the past several months, a slew of companies including Home Depot, K-Mart, grocery chain SuperValu Inc., UPS Stores Inc., Dairy Queen, and Goodwill Industries have all reported major credit and debit card compromises.

In most instances, the companies did not know they were breached until third parties notified them of fraudulent activity involving credit and debit cards used at their stores.

The breaches point to a US payment system in full crisis mode, says Avivah Litan, an analyst at Gartner.

As the US Department of Homeland Security and US Secret Service said months ago, at least 1,000 retailers have been compromised by a virulent point-of-sale malware threat called Backoff, Litan notes. It’s almost certain that Staples is just another victim of the same malware, she says.

“The news is just leaking out slowly but surely. The card brands don’t want to spook the public,” she says.

The ongoing migration of the US payments system to smartcards based on the Europay Mastercard Visa (EMV) standard will make it harder for attackers to use stolen credit and debit cards and therefore could reduce some of the incentive for such attacks, she says. “But it’s going to take at least two to three years before it makes a meaningful difference.”

In the meantime, there are several other approaches such as tokenization, point-to-point encryption, and mandatory PIN use that could make a big difference, she advises. “These measures would take less time to implement and would help considerably.”

James Huguelet, principal at The Huguelet Group LLC, a PCI consultancy, says the string of recent breaches is disconcerting.

“While I can only speculate as to why 2014 is proving to be the year for POS breaches, we’ve clearly passed some sort of tipping point,” Huguelet says. “The Target breach seems to have demonstrated to the cyber underground that these systems are often vulnerable and worthy of the time and effort to attack.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
10/21/2014 | 3:32:30 PM
It's the same old song...
It's frustrating that even despite all the other headline breaches, many large retailers aren't being proactive at updating their systems with baseline security.  It will still be some time until we see chip and pin technologies made widespread in the US, so retailers need to step up their game in the meantime to protect their customers and their reputations.  The problem is that there still isn't enough incentive for them to be proactive, since the breach fallout isn't causing too much economic harm for many of these larger retailers.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.