There are reports emerging that yet another major retail chain may be the victim of a credit card data breach. The worst part about the news that Staples may have been compromised, though, is that the news is coming third-hand from card providers observing fraudulent activity rather than from Staples itself. Why does it seem like the affected business is always the last to know?
Brian Krebs wrote yesterday on the Krebs on Security blog that a number of banks have identified a pattern of fraudulent credit and debit card activity that appears to point back to Staples outlets in the northeastern United States. It’s news to Staples, though, which is now apparently investigating the issue.
“The identification of breaches through fraudulent activity is like finding out your house was burglarized by seeing your TV in the pawn shop window,” exclaimed Tim Erlin, director of IT risk and security strategy for Tripwire. “If this pattern in retail breaches isn’t familiar to you by now, you haven’t been paying attention.”
Krebs shared a quote from Mark Cautela, senior public relations manager for Stapes, explaining, “We take the protection of customer information very seriously, and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on [in] a timely basis.”
To be fair, the evidence against Staples is circumstantial, and it is reasonable for Staples to investigate to determine the veracity of the reports before commenting or responding further. History suggests, however, that the reports are likely accurate, which then begs the question, “Why does Staples need third-party financial institutions to let it know after the fact that its network has been compromised?”
Ken Westin, a Tripwire security analyst, said, “When bank fraud analysts detect a potential breach it means the criminal group behind the breach have been able to compromise the network, install malware and successfully exfiltrate card data. They have accomplished all of this without being detected. It also means that at least some of the credit cards involved in the breach have already been dumped and sold in underground forums.”
Erlin proclaimed, “As an industry, we have to do better and get ahead of the attackers. Retailers especially need to take the necessary steps to identify breaches and malware in their environments.”