Experts have a long list of suggestions for retailers to avoid security breaches Credit: Thinkstock The security breach discovered at a few dozen franchises of the UPS Store, a subsidiary of United Parcel Service, provides a number of lessons for other retailers.The UPS Store reported Wednesday that malicious software was found within the in-store cash register systems of 51 franchises in 24 states, or about 1 percent of the 4,470 U.S. stores.The compromise exposed customer names, postal and email addresses and payment card information. How many people were affected was not disclosed.Malware infections on so-called point-of-sale systems were also discovered in a string of breaches reported by other major retailers, including Michaels, Neiman Marcus, P.F. Chang’s, Sally Beauty, Target and, more recently, the Albertsons and Supervalu supermarket chains. In all the computer break-ins, the hackers scanned the networks for tools that let employees and vendors access systems remotely. Once the tools were found, the criminals focused on finding vulnerabilities or stealing credentials to let themselves in.Once, a system was breached, the hackers traveled through the network to the electronic cash register system, where malware was planted to capture credit-card data. Because credit-card data often remains in plain text until it arrives at the payment processor, an obvious precaution is to encrypt the information as soon as the card is swiped and leave the decryption key with the processor, experts say.Such a system would be expensive to install, since it would involve replacing card readers and upgrading software within the POS systems. Nevertheless, with hackers exploiting the weakness, the cost is likely less than that of a breach.Target, which reported its security breach late last year, says costs associated with the POS system compromise has reached $148 million.The UPS Store started searching for the malware shortly after receiving around July 31 a U.S. government warning that hackers were scanning retailers’ networks for remote access tools.Security experts praised the UPS Store for its quick response.“This probably stopped it (the infection) from getting much worse,” Chris Wysopal, chief technology officer for Veracode, said. Because hackers are looking for network credentials, retailers need to make a list of the employees and vendors with remote access and restrict their privileges to those resources that are absolutely necessary.Also, passwords should be changed at least every six months and when vendors are dropped or employees leave, their credentials should be revoked immediately.After the malware was found, the UPS Store hired an IT security firm and found the malware, which was removed from systems Aug. 11.The malicious code had been in the store systems for as long as seven months before it was removed. Technology called endpoint anomaly detection might have found the malware sooner. Such technology establishes a baseline of normal activity and then alerts if there is a deviation.A protective technology recommended for POS systems is white-listing software that blocks any unknown code from executing.“Whitelisting works really well in environments where the software that should be running is very restrictive, such as a point-of-sale terminals,” Wysopal said.Businesses like the UPS Store should enforce a standard security policy across franchises, Ehsan Foroughi, director of research for Security Compass, said.Requirements could include an approved POS system, regular installation of updates and patches, regular password changes, controls for limiting employee and vendor access and regular security training for franchise owners, managers and POS workers.“A lot of these breaches are because of people who just don’t know the risks,” Foroughi said. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe