In August 2016, Eddie Bauer became one of the latest well-known retailers to get hit with a security breach. According to a statement by the company’s CEO Mike Egeck, Eddie Bauer learned that the point-of-sale systems at its retail stores were affected by malware.
The company immediately launched a full investigation with third-party digital forensic experts to identify and contain the attack as quickly as possible. It determined that customers’ payment card information used at its retail stores on various dates between January 2, 2016 and July 17, 2016 might have been accessed.
Not all cardholder transactions during this period were affected, the statement said. For example, payment card information used online at eddiebauer.com was not affected. Egeck assured customers that the company had fully identified and contained the incident.
“Unfortunately, malware intrusions like this are all too common in the world that we live in today,” Egeck noted. “In fact, we learned that the malware found on our systems was part of a sophisticated attack directed at multiple restaurants, hotels, and retailers, including Eddie Bauer.”
Eddie Bauer is conducting a comprehensive review of its IT systems to incorporate recommended security measures in order to strengthen them and prevent this type of incident from happening again.
But it did happen, and unfortunately it happens all to often in an industry that handles countless transactions in stores and online with consumers around the world. Eddie Bauer joined a long list of retailers that have experienced security incidents in recent years. That list includes Target, Home Depot, Michaels, Neiman Marcus and Kmart—among others.
Despite ongoing efforts to bolster security, such as the migration to the EMV (Europay, MasterCard and Visa) standard for payment card systems, retailers are still struggling to protect their networks and systems against attacks that seem to grow all the more sophisticated.
Many U.S. retailers have implement the standard, also known as “chip and PIN,” which involves the use of embedded chips in cards that encrypt account information, and personal identification numbers. It’s been in use in much of the world for years, and is designed to strengthen the security of credit card transactions by making it harder for cyber criminals to access accounts.
But as CSO reported in March 2016, despite the fact that the technology is more secure than legacy “swipe-and signature” systems, adoption of the new system remains slow. Many small merchants find the cost of upgrading more significant than the increased liability risk, the site said.
In general, retailers are common targets for several types of attacks. As noted in Verizon’s 2016 Data Breach Investigation Report, retail was among the top industries to report incidents including Web application attacks, point-of-sale intrusions and payment card skimming.
And attacks against merchandisers can be quite costly. According to an August 2016 report by consulting firm KPMG, cyber attacks could cost retails one fifth of their shoppers. Consumers are wary of the increased frequency of attacks against retailers, the study said, and many are ready to walk away from their favorite retailers if a breach occurs.
The firm’s 2016 KPMG Consumer Loss Barometer, which included a survey of 448 consumers, found that 19% said they would stop shopping at a retailer that had been a victim of a cyber security hack, even if the company took the necessary steps to remediate the issue.
The industry is making efforts to bolster security. In April 2014 the Retail Industry Leaders Association (RILA), in conjunction with some of the best known retail brands, created the Retail Cyber Intelligence Sharing Center (R-CISC). Through this effort, retailers share threat information among themselves and with public and private stakeholders such as government agencies.
In February 2016 R-CISC teamed up with Target to host the first Retail Cybersecurity Analyst Hunting Expedition, which is designed to support cyber security specialists in detecting and preventing attacks against retailers. Numerous top retailers gathered at Target’s headquarters in Minneapolis to evaluate how they are currently managing threat intelligence, detection, mitigation and response.
And in May, R-CISC hosted its first summit meeting, bringing together more than 200 participants from the retail and consumer service industries to exchange insights and share information on key cyber security topics. The group discussed topics including the ripple effect within an organization after a breach; how to secure the Internet of Things (IoT), and the impact on businesses that deploy mobile device payment systems.
The collaboration taking place within R-CISC is steadily increasing the ability to prevent successful cyber attacks across the industry, according to Brian Engle, R-CISC executive director. Target and the other participants are sharing threat intelligence that enables effective prioritization and decisive actions, focusing on the most relevant and pertinent threats, he said.