The Year Of The Retailer Data Breach
This year's wave of attacks was more dramatic in its widespread scope and seemingly constant battering of more than a dozen big box chains.
November 17, 2014
Cybercriminals found their sweet spot this past year with the retail industry, where some of the biggest big-box brand names and franchises were infiltrated by malware that helped the bad guys steal millions of credit and debit-card account numbers of shoppers.
Data breaches are nothing new for the retail industry -- think TJX in 2005, Dave & Buster's in 2007, to name a few -- but this year's wave of attacks was different and more dramatic in its widespread scope and seemingly constant battering of big box retailers, with more than a dozen of them disclosing data breaches, including Target, Home Depot, Michael's, Dairy Queen, and most recently, Kmart.
Target became the poster child for how not to conduct an incident response operation, with more than 40 million payment cards pilfered from its computers after ignoring security alarms from the attack and then experiencing a public disclosure disaster that ultimately resulted in the departure of its CIO and CEO.
[The next Dark Reading Radio episode on Nov. 19 at 1:00 p.m. ET (10:00 a.m. PT) features retail security experts from Mandiant and the retail industry. Read Retail Hacking: What To Expect This Holiday Season.]
So just in time for the 2014 holiday shopping season, here's a look at 13 major retailers who revealed this past year that they had suffered data breaches. Don't be suprised if a few more come forward before we ring in 2015.
Target's information security operation should have been the envy of any retailer, with its million-dollar state-of-the-art security tools and its in-house security and incident response expertise. But Target instead became a poster child for retail hacks after its security team apparently dismissed what ended up being crucial FireEye security platform alerts of suspicious activity on its network. The attackers were able to siphon off some 40 million payment card account numbers before Target was the wiser. The attackers initially found their way in via Target's HVAC contractor in order to infect Target's point-of-sale system, leaving Target to report one of the biggest hacks of the year. It cost shareholders some $148 million in the end.
Neiman Marcus in January went public with a data breach of some 1.1 million payment cards. The company later dialed back that number to 350,000 affected cards after completing its breach investigation.
Michaels also rang in the New Year with some bad news: Some 2.6 million customer payment cards were exposed in a data breach of the arts and crafts chain. The good news, however, was that it was only in some stores, and represented about 7% of the cards used at Michaels stores during the attack.
Sally Beauty Supply in early March confirmed that it had suffered a data breach after a report published by KrebsOnSecurity. Sally Beauty first said that under 25,000 payment cards may have been exposed in the hack, but then later acknowledged it could be "a larger number" after further investigating the attack.
In June, restaurant chain P.F. Chang's became the latest known victim of a payment card hack that targeted its point-of-sale system after being alerted by the US Secret Service. In the end, attackers hit some 33 P.F. Chang's China Bistro restaurants in the US, the company said in an August update on the breach.
Some 330 Goodwill stores across 20 states were hit by a data breach via malware that exposed some 868,000 payment cards during intermittent attacks from February 10, 2013 until August 12, 2014. Like many other retail attacks, the bad guys got in via its point-of-sale system vendor.
The SuperValu grocery and food store chain announced two data breaches, first in August and then again in late September. The the first attack was against the network that processes transactions at 180 stores between June 22 and July 17, but SuperValu said it was unclear whether payment cards had been stolen. The second breach occurred sometime in late August or early September, and affected payment card transactions at some of its Shop 'n Save, Shoppers Food & Pharmacy, and Cub Foods owned and franchised stores.
The United Parcel Service confirmed in late August that 51 of its 4,470 The UPS Store franchise stores had been hacked in a payment card breach involving some 105,000 transactions. The culprit was the infamous Backoff malware that targets PoS systems, and may have first infiltrated the stores' network as early as January.
Target's data breach may have been the kickoff for the Year of the Retail Breach, but Home Depot's cyber attack turned out to be much bigger overall, with some 56 million credit and debit cards exposed in a hack that began in April of this year. The home improvement chain earlier this month revealed more details of the attack, and turns out it was eerily similar to Target's: attackers stole credentials from a third-party vendor, and were able to move laterally into the Home Depot network and implant "unique, custom-built malware" on self-checkout systems in the US and Canada Home Depot stores, the company said. The bad guys also pilfered email addresses of 53 million of its customers.
Jimmy John's, the gourmet sandwich-maker with freakishly fast delivery standards, was a little late discovering that the point-of-sale systems in more than 200 of its stores had been infiltrated with malware that swallowed its customer payment card information. The sandwich chain in late September disclosed the attack, which it said began with log-in credentials stolen from its PoS vendor.
Dairy Queen went public in early October that it, too, had been burnt by a PoS malware attack via a third-party vendor's pilfered credentials. The infamous Backoff malware family was used to infect some 400 Dairy Queen locations, plus an Orange Julius store. The announcement came on the heels of a report in late August by KrebsOnSecurity that the chain indeed had been hacked as well.
A small number of Staples stores in Pennsylvania, New York City, and New Jersey reportedly were affected by a payment card breach. Staples is currently investigating the issue, which first came to light in a report by KrebsOnSecurity.
Last month it was big-box mainstay Kmart that revealed a data breach. Kmart said its IT team on October 9 discovered that its PoS system had been attacked in a hack that began in early September, according to its investigation. Some debit and credit card numbers were exposed in the malware attack.
Last month it was big-box mainstay Kmart that revealed a data breach. Kmart said its IT team on October 9 discovered that its PoS system had been attacked in a hack that began in early September, according to its investigation. Some debit and credit card numbers were exposed in the malware attack.
Cybercriminals found their sweet spot this past year with the retail industry, where some of the biggest big-box brand names and franchises were infiltrated by malware that helped the bad guys steal millions of credit and debit-card account numbers of shoppers.
Data breaches are nothing new for the retail industry -- think TJX in 2005, Dave & Buster's in 2007, to name a few -- but this year's wave of attacks was different and more dramatic in its widespread scope and seemingly constant battering of big box retailers, with more than a dozen of them disclosing data breaches, including Target, Home Depot, Michael's, Dairy Queen, and most recently, Kmart.
Target became the poster child for how not to conduct an incident response operation, with more than 40 million payment cards pilfered from its computers after ignoring security alarms from the attack and then experiencing a public disclosure disaster that ultimately resulted in the departure of its CIO and CEO.
[The next Dark Reading Radio episode on Nov. 19 at 1:00 p.m. ET (10:00 a.m. PT) features retail security experts from Mandiant and the retail industry. Read Retail Hacking: What To Expect This Holiday Season.]
So just in time for the 2014 holiday shopping season, here's a look at 13 major retailers who revealed this past year that they had suffered data breaches. Don't be suprised if a few more come forward before we ring in 2015.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024