Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Eddie Bauer Reveals It Was the Victim of a POS Breach

    By
    SEAN MICHAEL KERNER
    -
    August 19, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Eddie Bauer

      Retailer Eddie Bauer is the latest organization to reveal that it was the victim of a malware breach of its point-of-sale (POS) systems. Payment cards used at Eddie Bauer from Jan. 2 until July 17, 2016, were potentially affected by the POS malware breach.

      “Unfortunately, malware intrusions like this are all too common in the world that we live in today,” Mike Egeck, CEO of Eddie Bauer, wrote in an open letter. “In fact, we learned that the malware found on our systems was part of a sophisticated attack directed at multiple restaurants, hotels and retailers, including Eddie Bauer.”

      The company is working with the FBI to identify those responsible for the attack, and Eddie Bauer is now conducting a comprehensive review of its infrastructure to limit the risk of a future breach, Egeck said.

      POS systems are attractive, frequent targets, and in many ways are low-hanging fruit, said security experts.

      “These types of targeted point-of-sale malware attacks are continuing to occur on a regular basis, and the news of this latest breach comes as no surprise,” Jeff Man, security advocate at Tenable Network Security, told eWEEK. “For every publicly reported breach like Eddie Bauer, there are literally hundreds of smaller merchants being compromised that we don’t hear about.”

      Cesar Cerrudo, CTO of IOActive Labs, commented that he’s not surprised by the Eddie Bauer breach as most companies are always catching up on security. He added that it’s difficult to properly protect against all threats but that companies should be able to quickly identify and contain and isolate attacks, which wasn’t the case with Eddie Bauer.

      Payment systems are typically subject to PCI DSS (Payment Card Industry Data Security Standard) compliance requirements, which are supposed to help provide a baseline level of security for retailers. Kevin Bocek, vice president of security strategy and threat intelligence, at Venafi, isn’t a fan of PCI DSS.

      “PCI DSS is becoming increasingly circus-like,” Bocek told eWEEK. “It’s the checklist that even retailers agree has become a less-than-effective dinosaur.”

      Georgia Weidman, CTO and founder of Shevirah, emphasized that PCI DSS is only a small part of a much larger security puzzle.

      “Every company that has been spectacularly hacked in the last three years has been PCI compliant—Sony, Target, Anthem, pick your favorite,” Weidman told eWEEK. “Obviously, based on that evidence, while a good step in the right direction, PCI is not sufficient to protect against breaches.”

      PCI DSS is only a small part of a mature security program that includes testing, not just a specific set of checks the PCI committee picked out on a certain set of IT assets, but rather comprehensive testing on all assets, including humans, mobile devices and physical controls, to assess and mitigate the risk of compromise, Weidman said.

      It’s important to understand that demonstrating PCI DSS compliance was never intended to prevent all breaches from occurring, Man said, adding that it was intended to provide some basic level of security to companies that don’t historically pay a lot of attention to data security.

      “PCI DSS, when followed correctly, is not intended to stop breaches, but to detect them early and minimize the damage,” Man said. “The original intent of the PCI DSS was to provide a safe harbor for merchants when they experienced breaches, so they could demonstrate that they were practicing some level of due diligence in terms of data security and avoid paying the fines and replacement costs associated with the breaches.”

      PCI DSS is extremely valuable when applied correctly, Man said He noted that, unfortunately, too many companies (merchants, vendors and providers) focus more on limiting the scope and reducing the burden of PCI compliance, rather than treating the PCI DSS for what it is—a decent, fairly comprehensive framework for applying sound data security principles in organizations that previously had little or no organized data security practices.

      There are a number of things that retailers should be doing today to make sure they don’t end up in the same position as Eddie Bauer tomorrow.

      Marcus Carey, CTO and founder of vThreat, suggested that companies should keep their POS systems separate from corporate networks, which can make massive corporate compromises harder to propagate. He also said employees shouldn’t be allowed to surf the internet on POS systems.

      “Having an effective vulnerability management program is critical for any retail chain, as well,” Carey told eWEEK.

      Venafi’s Bocek suggested that retailers urgently need to understand what is trusted or not on their networks and POS devices in order to help minimize risk.

      IOactive’s Cerrudo commented that retailers need to be able to identify possible breaches and contain them quickly.

      “Basically, they should assume they will be hacked and know exactly what they are going to do when that happens,” Cerrudo said. “If you don’t assume you will be hacked and have a plan for that, sooner or later you will end up as another breached company.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×