Staples Launches Breach InvestigationFraud Spike Reportedly Tied to Cards Used at Retailer
Staples has confirmed that it's investigating a potential data breach after a report warned that elevated levels of payment card fraud had recently been tied to card numbers used by consumers who shopped at the office supply retailer.
"Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement," Staples spokesman Mark Cautela tells Information Security Media Group.
The retailer confirmed the investigation after security blogger Brian Krebs reported that sources at more than six East Coast banks had seen a spike in card-related fraud that seemed to correspond with cards that were used by shoppers at 11 Staples locations across New Jersey, New York City and Pennsylvania.
The fraudulent purchases were reportedly made in non-Staples locations, which suggests that criminals may have used point-of-sale malware to harvest the card numbers, and then either created and used fake cards using the stolen data, or else used the data to make fraudulent purchases online.
Staples has more than 2,000 stores in 26 countries, including 1,800 across the United States and Canada.
"We take the protection of customer information very seriously and are working to resolve the situation," company spokesman Cautela says. "If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis."
Cautela declined to comment further on the details of the potential breach and related investigation, including whether POS malware was suspected.
Backoff Malware Surges
"Enterprises are now coming to [the] conclusion that they are either already compromised, or will soon be," says Aviv Raff, CTO at APT defense firm Seculert. "It's not a matter of 'if,' it's a matter of 'when.' The breach shows the necessity of moving from trying to prevent an attack to try and detect and respond as quickly as possible."
In August, the U.S. Secret Service warned that 1,000 U.S. businesses may have been infected by Backoff malware, although at that time, only a handful of related breaches had come to light. The same month, the Department of Homeland Security issued a warning to all businesses that use POS systems, urging them to scan their systems for signs that they'd been compromised.
One of the businesses breached by Backoff was Dairy Queen, which earlier this month confirmed that POS systems at 395 of its locations - across 46 states - had been successfully infected by the malware. Dairy Queen said DHS notified it directly, in August, that its systems appeared to have been breached. Dairy Queen's subsequent investigation revealed that the malware was installed on its systems after its POS vendor's account credentials were compromised. But the restaurant chain has yet to disclose the identity of that third-party vendor.
Record Profits For Card Issuers
Gartner analyst Avivah Litan says that while 2014 has already been the worst year on record for card-related data breach reports, U.S. credit card issuers have nevertheless posted record profits.
"The credit card companies keep winning and the retailers keep losing when it comes to making money on credit cards," she says, citing statistics from consultancy R.K. Hammer, which estimates that that U.S. card issuers' revenues will hit $159 billion in 2014 revenue, up 9 percent from 2013, which is the first annual gain since 2008.
Litan has been a vocal critic of the U.S. payment card industry, and in particular has accused banks and card issuers of failing to invest in updating the aging payment infrastructure, including dragging their heels when it comes to adopting EMV and tokenization, which together might help block POS malware attacks and lead to a decline in the number of breaches at U.S. retailers and restaurants.
On Oct. 17, President Obama signed an executive order directing the government to "lead by example" and begin adopting chip-and-PIN cards for staff, as well as consumer benefits programs. Fraud watchers hope the move will help speed EMV adoption as well as drive the implementation of more secure payment systems (see: What's the President's Influence on EMV?).
"EMV will certainly help with counterfeit fraud, but it's going to take at least two to three years before it makes a meaningful difference in the U.S.," Gartner's Litan tells Information Security Media Group. Visa and MasterCard could make a big impact on fraud, Litan argues, by taking additional steps, such as putting in place tokenization and point-to-point encryption and forcing all transactions to use a PIN code, she says.