Back in October, office supply chain Staples reported that more than 100 of its stores had been involved in a data breach and the credit and debit card information for an unknown amount of customers was exposed. Now the retailer has revealed that over 1 million customers had financial information compromised in the attack.
The store was first notified about the security intrusion after a number of banks reported seeing patterns of fraudulent activity suggesting that Staples locations in the northeastern U.S. were involved in a breach. After additional investigation, however, malicious software was reported by stores in 35 states across the country.
Nearly 10 percent of the retailer’s stores were hit by malware infections in their point-of-sale systems.
“At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014,” Staples disclosed. “At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014.”
According to security experts that reviewed the information on the breach provided by Staples, attackers were on the company’s networks for 182 days in total. It is estimated that the minimum time it took each store to identify and respond to a breach was 37 days.
Weak POS security common denominator in retail breaches
While some may consider the Staples breach to be tame in comparison with massive hacks like those that affected Target and Home Depot, the fact that cybercriminals were able to remain undetected within an enterprise network for six months is a major cause for alarm. All three breaches shared a similar flaw that led to sensitive systems becoming compromised: insufficient POS system security.
Malicious actors are becoming much more adept at modifying malware so it is capable of targeting specific systems and stealing credit card numbers and account information before retailers have a chance to encrypt it. One strain of POS malware, Backoff, has been so devastating for retailers that the Department of Homeland Security’s Cyber Emergency Readiness Team warned businesses that more than 1,000 U.S. stores had likely been infected with the malicious software.
While some security firms have created defense solutions specifically to protect against Backoff malware, there are still numerous alternatives cybercriminals can use to steal sensitive financial information. In order to ensure security of privileged data, retailers should implement a layered security solution that involves the most up-to-date anti-virus protection available along with desktop lockdown, application whitelisting, and reboot to restore software.