The second credit-card breach in three years at Kmart has once again forced credit unions, and other financial institutions, to deal with the repercussions of potential fraud involving their accountholders.
In the first of two-articles, security experts provide their take on the ramifications of card breaches on credit unions and businesses.
Sears Holdings, the parent company of Kmart, confirmed it experienced another malware-based data breach of its card processing systems. The company did not reveal how many of its 735 Kmart locations saw signs of a breach, but said it did not affect online purchases.
“Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls,” Howard Riefs, a spokesman for Sears Holding, said in a statement. “Once aware of the new malicious code, we quickly removed it and contained the event. We are confident that our customers can safely use their credit and debit cards in our retail stores.”
The statement added that based on forensic investigation, the cybercriminals did not obtain any personal identifying information (including names, addresses, social security numbers, and email addresses). “However, we believe certain credit card numbers have been compromised. Nevertheless, in light of our EMV compliant POS systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited.”
Brian Krebs in his KrebsOnSecurity blog first reported the incident after hearing from credit unions and smaller banks who said they strongly suspected another Kmart card breach. “Some of those institutions received alerts from the credit card companies about batches of stolen cards that all had one thing in common: They were all used at Kmart locations,” Krebs stated.
In October 2014, Sears announced a similar breach not involving PII. Krebs added, both breaches involved malware designed to steal credit and debit card data from hacked point-of-sale devices.
“It’s no secret that major retailers like Kmart need to protect against malware threats in order to protect their customers’ data, as well as their brand and reputation,” John Christly, Global CISO, Netsurion, a provider of managed security services for multi-location businesses, and EventTracker, a SIEM company, said.
“All Kmart stores had EMV-capable credit card terminals. But not all financial institutions have provided chip-enabled cards just yet, leaving consumers using magnetic stripe cards more vulnerable to fraud,” Christy noted. “Merchants should also remember that being compliant may not be (and is usually not) the same thing as being secure. It’s one thing to do basically the bare minimum to meet compliance mandates, but it’s completely another thing to do IT security properly.”
Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, said, “The propensity for cybercrooks to target and load data-capturing/stealing POS systems has been increasing in the past few years, but yet the security controls have not improved! Why is this? There are several reasons:”
Among the reasons Herold cited are lack of:
- Documented policies and procedures.
- Training and ongoing awareness reminders.
- Risk management.
- Vendor/third party security and privacy management.
“Few organization have any type of ongoing vendor security oversight programs in place, leaving themselves wide-open to having all the risks of their vendors brought into their own network environment,” Herold stated.
CO-OP Financial Services Ashley McAlpine, fraud prevention manager said, “Credit unions will need to make decisions on how they want to react to the Kmart breach; whether that is to reissue cards, notify members or put impacted cardholders into a more restrictive fraud strategy.” She recommended credit unions evaluate any fraud experienced thus far and the potential risk on open cards.
McAlpine pointed out, Kmart integrated EMV technology into its terminal systems. “That doesn’t mean EMV-issuing credit unions should not be worried about fraud transpiring. That’s because transactions that are forced to swipe their cards (known as “fallback transactions”) would still be susceptible to having data retrieved by fraudsters.”
