Starting in late 2013 and continuing through to the spring of 2014, a series of ever larger security breaches of major American retailers were announced to the public. The latest, Home Depot, was hit by BlackPOS, the same malware used to pull customer data from Target’s point-of-sale machines. Millions have been spent trying to assure customers and repair brand damage, millions more lost as the news directly affected bottom lines from the holiday season onward.
What’s worse is that many of the breaches weren’t a one-time heist but a strategy well-planned and carried out over months, or in some cases years.
Why the delay in announcing the breaches? Let’s take a look at some of the company recently breached and look for patterns.
Neiman Marcus –
The Neiman Marcus attack took place while in compliance with standards meant to protect transaction data. However, key features of the their system were disabled to allow for regular system maintenance and security updates. Hackers gained entry through the point-of-sale (POS) devices and during the month of July through October, thieves made off with card details for 350,000 users. It wasn’t Neiman Marcus that discovered the breach, but banking institutions that alerted the retailer in December of suspicious activity on accounts that all had Neiman Marcus in common, and not until January of this year that they confirm the breach thanks to private investigators.
Michaels Craft Stores –
Michaels, and its subsidiary Aaron Brothers, were targeted using a card skimmer installed on individual POS machines in about a hundred of its stores, grabbing credit and debit card numbers and expiration dates. The breach lasted from May of 2013 through to January of this year, putting 2.6 million cards at risk. They, too, were alerted to the breach not by internal measures but by banking and law enforcement authorities that traced fraudulent activity back customers that shopped at the company’s brick and mortar stores.
Not Just The Big Chains –
These retailers aren’t alone. Other, smaller chains have been hit in similar attacks where POS machines are compromised or local computers are used to gain entry into larger networked systems – companies like beauty supply chain Sally Beauty, the P.F. Chang restaurant chain, over 300 Goodwill locations breached over the course of 18 months, and southern US wine retailer Spec’s breach, whose compromise lasted for over a year and a half and included bank account numbers, birth dates and drivers licenses.
So why the delay? In most cases the retailer just didn’t know it was happening.
The common theme in all of these attacks is that hackers are increasingly using brick and mortar stores as their entry point to gain customer credentials that are subsequently used in online fraud (over 9,000 Neiman Marcus customers reported fraudulent activity on their accounts following the breach).
Naturally, keeping customer data safe is important. After every breach, profits dropped as companies paid out for private investigators and credit protection for affected customers. But beyond protecting data, which is defensive, online retailers can go on the offensive instead.
When companies have the ability to recognize fraudulent actions before the transaction occurs, the way NuDetect does, they won’t just protect themselves from fraud – they make it less attractive for hackers to steal those credentials in the first place.