2014 is likely to go down in history as the year of the data breach. The latest set of reported breaches includes a second attack against grocery chain Supervalu and an attack against point-of-sale (POS) vendor Signature Systems that affects more than 300 restaurants.
It’s bad enough for an organization to admit that it is the victim of a data breach, but it is even more troublesome when a company has to admit to multiple successive breaches.
In the case of Supervalu, the grocery chain first admitted on Aug. 14 that it had been the victim of a data breach that impacted 180 of its stores and affiliates across the United States. In a statement issued Sept. 29, Supervalu admitted that a different malware than the initial breach was installed in its payment card transaction systems. Supervalu has not yet publicly identified what malware was present in the Aug. 14 breach or which malware was found in the breach disclosed Sept. 29.
Multiple POS system malware variants are currently active. Among the most prevalent is the Backoff malware, which has already infected at least 1,000 retailers.
In the latest intrusion, Supervalu claims that security technology now in place at its stores limited the ability of the new malware to steal any customer information.
“Supervalu believes that this malware did not succeed in capturing data from any payment cards used at any stores other than at some checkout lanes at four Cub Foods franchised stores,” Supervalu noted in a statement. “Even as to the checkout lanes at these four stores, the company has made no determination that any cardholder data was in fact stolen by the intruder.”
In all of the retail breaches, POS systems are the primary target. While some stores have their own POS systems, others use third-party POS vendors, like Signature Systems, which provides services to restaurants, including Jimmy Johns. Jimmy Johns was breached in an incident first disclosed Sept. 24 and involving 216 of its restaurant locations.
Signature Systems revealed that 108 additional restaurants were breached in the same incident.
“We have determined that an unauthorized person gained access to a user name and password that Signature Systems used to remotely access POS systems,” Signature Systems wrote in an advisory. “The unauthorized person used that access to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants.”
The issue of unauthorized remote access to a POS system is one of the primary root causes in many of the retail breaches reported in 2014 so far. For Backoff malware in particular, remote access has been identified by multiple security vendors as being the primary path to infection.
The recent incidents at Supervalu and at Signature Systems show two different sides of the POS breach issue.
With Supervalu, it would appear as though the company did learn from the initial breach and does have controls in place to detect and limit the risk of malware. The Signature Systems incident raises the question of trust in third-party payment providers. Simply put, if an attacker is able to breach one of these providers, instead of breaching one retailer or restaurant, they breach hundreds.
The message about POS security, including the need to secure remote access and actively scan for malware, is one that not all retailers have yet learned. The simple truth: Even in the case of the Backoff malware, though the U.S. government has warned that 1,000 retailers are at risk, to date, 1,000 retailers have not yet publicly disclosed that they were victims.
With Thanksgiving and the big holiday shopping season ahead, the stakes in the race to secure POS systems couldn’t be any higher.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.