Retailer Eddie Bauer is the latest organization to reveal that it was the victim of a malware breach of its point-of-sale (POS) systems. Payment cards used at Eddie Bauer from Jan. 2 until July 17, 2016, were potentially affected by the POS malware breach.
"Unfortunately, malware intrusions like this are all too common in the world that we live in today," Mike Egeck, CEO of Eddie Bauer, wrote in an open letter. "In fact, we learned that the malware found on our systems was part of a sophisticated attack directed at multiple restaurants, hotels and retailers, including Eddie Bauer."
The company is working with the FBI to identify those responsible for the attack, and Eddie Bauer is now conducting a comprehensive review of its infrastructure to limit the risk of a future breach, Egeck said.
POS systems are attractive, frequent targets, and in many ways are low-hanging fruit, said security experts.
"These types of targeted point-of-sale malware attacks are continuing to occur on a regular basis, and the news of this latest breach comes as no surprise," Jeff Man, security advocate at Tenable Network Security, told eWEEK. "For every publicly reported breach like Eddie Bauer, there are literally hundreds of smaller merchants being compromised that we don't hear about."
Cesar Cerrudo, CTO of IOActive Labs, commented that he's not surprised by the Eddie Bauer breach as most companies are always catching up on security. He added that it's difficult to properly protect against all threats but that companies should be able to quickly identify and contain and isolate attacks, which wasn't the case with Eddie Bauer.
Payment systems are typically subject to PCI DSS (Payment Card Industry Data Security Standard) compliance requirements, which are supposed to help provide a baseline level of security for retailers. Kevin Bocek, vice president of security strategy and threat intelligence, at Venafi, isn't a fan of PCI DSS.
"PCI DSS is becoming increasingly circus-like," Bocek told eWEEK. "It's the checklist that even retailers agree has become a less-than-effective dinosaur."
Georgia Weidman, CTO and founder of Shevirah, emphasized that PCI DSS is only a small part of a much larger security puzzle.
"Every company that has been spectacularly hacked in the last three years has been PCI compliant—Sony, Target, Anthem, pick your favorite," Weidman told eWEEK. "Obviously, based on that evidence, while a good step in the right direction, PCI is not sufficient to protect against breaches."
PCI DSS is only a small part of a mature security program that includes testing, not just a specific set of checks the PCI committee picked out on a certain set of IT assets, but rather comprehensive testing on all assets, including humans, mobile devices and physical controls, to assess and mitigate the risk of compromise, Weidman said.
It's important to understand that demonstrating PCI DSS compliance was never intended to prevent all breaches from occurring, Man said, adding that it was intended to provide some basic level of security to companies that don't historically pay a lot of attention to data security.
"PCI DSS, when followed correctly, is not intended to stop breaches, but to detect them early and minimize the damage," Man said. "The original intent of the PCI DSS was to provide a safe harbor for merchants when they experienced breaches, so they could demonstrate that they were practicing some level of due diligence in terms of data security and avoid paying the fines and replacement costs associated with the breaches."
PCI DSS is extremely valuable when applied correctly, Man said He noted that, unfortunately, too many companies (merchants, vendors and providers) focus more on limiting the scope and reducing the burden of PCI compliance, rather than treating the PCI DSS for what it is—a decent, fairly comprehensive framework for applying sound data security principles in organizations that previously had little or no organized data security practices.
There are a number of things that retailers should be doing today to make sure they don't end up in the same position as Eddie Bauer tomorrow.
Marcus Carey, CTO and founder of vThreat, suggested that companies should keep their POS systems separate from corporate networks, which can make massive corporate compromises harder to propagate. He also said employees shouldn't be allowed to surf the internet on POS systems.
"Having an effective vulnerability management program is critical for any retail chain, as well," Carey told eWEEK.
Venafi's Bocek suggested that retailers urgently need to understand what is trusted or not on their networks and POS devices in order to help minimize risk.
IOactive's Cerrudo commented that retailers need to be able to identify possible breaches and contain them quickly.
"Basically, they should assume they will be hacked and know exactly what they are going to do when that happens," Cerrudo said. "If you don't assume you will be hacked and have a plan for that, sooner or later you will end up as another breached company."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.