A cyber-attack that hit Harbor Freight Tools and likely exposed card data processed at all 400 of its retail tool stores could rank among one of the biggest retail breaches this year, one card issuer says.
In fact, the issuer, who asked to remain anonymous, says compromised cards linked to the Harbor Freight attack will likely hit totals similar to those that resulted from a breach at Schnuck Markets Inc., discovered in April, and a similar breach at Raley's Family of Fine Stores, discovered in June. Both merchants were hit by sophisticated cyber-attacks that infiltrated their stores' corporate networks.
Card fraud linked to retail breaches is a growing concern for banking institutions. Attacks on retailers ranked among the top two most common reasons for card-related fraud losses in the last 12 months, according to Information Security Media Group's 2013 Faces of Fraud Survey. Card-not-present fraud was the other most common reason for those losses, the survey shows.
In the Schnucks breach, an estimated 2.4 million debit and credit cards were exposed. And although Raley's has not released estimates about the number of cards impacted by its breach, some card issuers say millions were likely affected.
In its June statement, Raley's, a Sacramento, Calif.-based supermarket chain that operates 130 stores under the Raley's, Bel Air Markets, Nob Hill Foods and Food Source names, noted that only a portion of its computer network systems appeared to have been targeted. "Cybercriminals may have obtained customer credit and debit card information," the company stated. "We do not collect Social Security or drivers' license numbers in association with payment card transactions."
Raley's did not respond to Information Security Media Group's request for additional comment about the attack, which may have affected portions of its payments system.
Although Harbor Freight has not stated the number of cards potentially affected by the attack that hit its corporate network, three separate card issuers have confirmed that fraud linked to the tool store breach is growing, with new advisories about possible compromised card numbers coming out from card brands on a nearly daily basis.
One issuer says more than 10,000 of its cardholders have so far been impacted; another issuer estimates more than 20,000 of its cardholders have been affected.
In a July 20 statement about the cyber-attack, Harbor Freight President Eric Smidt said the breach was "similar to attacks being reported by other national retailers," apparently making reference to malware attacks that have targeted other merchants, such as Schnucks, Raley's, upscale restaurant chain Roy's Holdings Inc. and convenience store chain MAPCO Express.
Now, one card fraud expert, who also asked to remain anonymous, says it seems, based on forensics details being revealed by various sources, that Harbor Freight's corporate network was attacked by three different strains of malware - two of which had never been seen before. All of the malware strains were equipped with built-in security features to prevent reverse-engineering detection, this expert says.
Harbor Freight on Aug. 6 said it has no updates to share about the breach investigation.
But the card fraud expert says the malware used in the Harbor Freight attack, which was similar to what was seen in the Schnucks attack, was designed to steal payment card details. "This will probably be a big one," the expert says. "Whenever they are able to get inside a corporate network, they kind of have the cookie jar open at that point. They get much more that way than cracking in store by store."
Span of Attack
The Harbor Freight breach affected transactions conducted between June 14 and July 20, according to advisories from Visa and MasterCard shared with Information Security Media Group. Issuers say they believe the breach many have occurred sooner.
"I think the date range and store locations are equally moving targets," one issuer says. "It doesn't seem like we've landed on a definitive period. Either the method of attack is making it difficult or the retailer's infrastructure is hampering forensic certainty."
Another issuer says fraudulent transactions linked to the breach have ramped up within the last two weeks, signaling that the compromised numbers were likely sold in an underground forum. "We haven't necessarily experienced a large loss yet, but I think we are just at the beginning of this thing," that issuer notes.
And a third issuer points out that fraudulent transactions associated with cards compromised in the Harbor Freight attack are showing up throughout the world. "We have seen significant attempts linked to Harbor throughout the world, as their aggressiveness in using the cards is increasing," that issuer points out.
Harbor Freight's Investigation
The Calabasas, Calif.-based retail tool store chain, which acknowledged the cyber-attack July 20, said at that time it learned of the compromise after several credit card companies began linking fraudulent card transactions to cards used at its stores. A forensics investigation later confirmed the attack, the company said.
Harbor Freight Tools hired computer security firm Mandiant to examine its system and implement enhanced security measures, the company said in its July statement. No updates have since been issued.
Recent Retail Breaches
The Harbor Freight incident is one in a growing series of cyber-attacks affecting retailers.
Roy's, a Honolulu-based restaurant chain, on July 5 announced that a malware attack was believed to have hit its corporate network after infecting an employee's desktop PC. The attack likely affected cards used at its five of its six Hawaii locations between Feb. 1 and Feb. 25.
In its June announcement, Raley's said it was trying to determine exactly what, if any, payment card information had been exposed. It noted, however, that it did not believe debit PINs could have been accessed. Cards used at Raley's, as well as affiliate brands Bel Air, Nob Hill Foods, Food Source stores and Aisle One gas stations, may have been impacted, the company said.
The MAPCO Express convenience store chain in May noted that hackers had remotely installing malware onto its card-processing systems and exposing credit and debit transactions. Three class action lawsuits were later filed against MAPCO, alleging payment details were exposed on hundreds of cards (see MAPCO Express Sued Over Malware Attack).
In April, a similar malware attack targeted certain, yet unnamed, merchants in Kentucky and southern Indiana. The attack, which was traced back to a vulnerability in software used to remotely access point-of-sale devices and systems, likely began sometime in mid-February, investigators said (see Retail Breach Contained; Fraud Ongoing).
Schnucks, a St. Louis-based grocery store chain, on March 30 confirmed its POS network had been attacked by "malicious computer code" designed to capture payment card details. A class action lawsuit later was filed against Schnucks as a result of the breach (see Schnucks Sued Over Malware Attack).