See Also: Stop Mobile Payment Fraud, Not Customers
The Calabasas, Calif.-based company says in a statement that it was advised by several credit card companies that it may have been the target of a cyber-attack. Upon investigation, the company confirmed the attack, but it is providing few details about the incident.
Harbor Freight Tools hired computer security firm Mandiant to examine its system and implement enhanced security measures, the statement says.
The company says it is unsure how many customers were affected. Now that the attack has been blocked, Harbor Freight is working to identify when the attack started and which stores were affected, according to an FAQ provided with the statement.
The incident is "similar to attacks being reported by other national retailers," says Eric Smidt, company president, apparently making reference to other recent malware attacks, such as those against the restaurant chain Roy's and convenience store chain MAPCO Express.
Harbor Freight posted notices about the attack in the aisles of every one of its 400 stores, a spokesman for the company on July 20 told Information Security Media Group. A special hotline has been created for customers who have questions about the incident.
"We are continuing to investigate the attack," the spokesman says. The company's statement notes: "We are working with our computer security firm and payment processor to identify cards that might be affected so that the credit card companies can issue alerts to the banks that issued those [affected] cards."
Payments System 'Fundamentally Insecure'
Financial fraud expert Avivah Litan says Harbor Freight is "likely doing the best they can" in response to the breach. "Their first priority should be to notify the banks and optimally the cardholders of the card accounts that were potentially compromised," she says.
But retailers are far from winning the cybersecurity battle, says the analyst with the consulting firm Gartner.
"Retailers are not security experts and should not have to be," she says. "The payment systems used in the United States are fundamentally insecure. They were built many decades ago, and we are still relying on antiquated magnetic stripe card technology to secure the payment systems."
Until the U.S. switches to EMV chip card technology, attacks targeting retailers will continue, she predicts. "[The U.S.] is one of the only countries left in the world with no clear EMV migration plan," she says.
Recent Retail Breaches
The Harbor Freight incident is just the latest in a series of cyber-attacks affecting retailers.
In the Roy's incident, the Honolulu-based restaurant chain said malware that infected one employee's desktop PC likely infiltrated its network and may have exposed card data [see: Retail Breach Hits Hawaii Restaurants]. Roy's Holdings Inc., which owns and manages six restaurants in Hawaii, on July 5 confirmed that the compromise may have exposed debit and credit card information related to transactions conducted at five of its locations Feb. 1-25.
In May, the FBI was investigating a payment card breach affecting customers of the MAPCO Express convenience store chain [see: FBI Investigates Another Retail Breach]. The breach involved hackers remotely installing malware on card-processing systems, MAPCO reported.
As a result of the MAPCO breach, three class action lawsuits have been filed alleging payment details were exposed on hundreds of debit and credit cards [see: MAPCO Express Sued Over Malware Attack].
In April, a malware attack targeting certain Kentucky and southern Indiana merchants was revealed. The attack, which was traced back to a vulnerability in software used to remotely access POS devices and systems, likely began sometime in mid-February [see: Retail Breach Contained; Fraud Ongoing].
And on March 30, Schnucks Markets Inc. confirmed its point-of-sale network had been attacked by "malicious computer code" designed to capture payment card details. A class action lawsuit has been filed against Schnucks, a St. Louis-based grocery store chain [see: Schnucks Sued Over Malware Attack].