A data security breach involving Staples Inc., initially reported in October 2014, has been confirmed by the Framingham, Mass-based retail office supply chain. The far-reaching event impacted 119 of the 1,500 Staples locations in 35 states. Malicious software discovered inside cash registers was intercepting credit card transactions and transmitting cardholder data to a criminal host network. The company believes that up to 1.16 million credit cards may have been affected by the breach.
A company press release issued on Dec. 19 stated that “malware may have allowed access to some transaction data at affected stores, including cardholder names, payment card numbers, expiration dates, and card verification codes. At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014. At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014.”
Staples urges consumer due diligence
Staples spokesman Mark Cautela reported that the company is working closely with law enforcement in an ongoing investigation. “We take the protection of customer information very seriously, and are working to resolve the situation,” Cautela said, adding that consumers will not be held responsible for any fraudulent activity that is reported in a timely manner.
Staples published a list of affected locations from Alabama to Wyoming. Located at http://staples.newshq.businesswire.com/statement, it includes each store’s window of vulnerability from the malware’s initial installation date to the time of its removal. Consumers are urged to review credit card statements and promptly notify card issuing banks of any suspicious charges. Staples is also offering free identity protection services and credit reports to customers who used their cards at affected stores during the relevant time periods.
Same malware, different store
Forensic analysts have noted similarities that link the Staples data compromise with an earlier incident reported in January 2014 by Michaels Stores Inc., an Irving, Texas-based arts and crafts retailer that is the parent company of Michaels and Aaron Brothers stores. Malware used in tampered POS devices at both Staples and Michaels was found to be communicating with the same criminal host network.
The January 2014 attack was the latest in a series of data breaches for Michaels, beginning with a May 2011 attack involving what the company described as “90 individual PIN pads that showed signs of tampering” that were subsequently disabled. While the incident affected less than one percent of its stores, the company installed 7,200 PIN pad readers in all 964 stores as an added precaution. Unfortunately, this costly measure proved to be insufficient protection from further data attacks. A press release issued on April 17, 2014, disclosed additional, ongoing malicious activities.
The release stated: “Regarding Michaels stores, the attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014. Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue. The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7 percent of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com .”
Meanwhile, controversy erupted as a result of a survey released by the Independent Community Bankers of America, whose members reported reissuing approximately 7.5 million payment cards in the wake of the The Home Depot U.S.A. Inc. breach, at a total cost of $90 million.
In a Dec. 18 press release about the survey, John Buhrmaster, ICBA Chairman and President, stated, “Community banks continue to absorb exorbitant costs due to data breaches, and they do so upfront because their primary concern is to protect their customers. However, this is money—more than $90 million—that could be used for lending in local communities to homeowners, small business owners and budding entrepreneurs to spur local economic growth and stability. For this reason, we continue to advocate that the costs associated with data breaches be borne by the party that experiences the breach. Communities and customers should not suffer for the faults of retailers.”
In addition, the ICBA stated it promulgates the following five data security principles:
- The costs of data breaches should ultimately be borne by the breached party.
- All participants in the payments system — including merchants — should be subject to Gramm-Leach-Bliley Act–like data-security standards.
- A national data-security breach and notification standard should be implemented to replace the current patchwork of state laws.
- Unnecessary barriers to effective threat-information sharing between law enforcement and the financial and retail sectors should be removed.
- While community banks and other financial institutions continue to move to chip technology for debit and credit cards, these technologies alone may not have prevented the recent retailer breaches and do not protect against fraud in “card-not-present” transactions, such as online purchases.
In response, executives from several leading retailers’ associations, including the National Retail Federation, Retail Industry Leaders Association and Merchant Advisory Group, released a letter to the ICBA claiming that these principles are “based in part on misinformation and at best incomplete.”
This is just the latest volley of finger pointing between retailers and financial institutions seeking to assign blame and consequences for the data breaches plaguing our payment systems.
One positive development to arise from the recent epidemic of security data breaches can be seen in the retail community’s heightened sense of urgency about upgrading and securing existing card payment systems. Staples stated it plans to enhance the security of its POS systems with up-to-date tokenization and point-to-point encryption technology. Home Depot and Target Corp. plan to install EMV readers in 2015, a move that reflects a majority of Level 1 retailers’ near-term objectives. Target has reportedly committed $148 million in upgrades to its processing systems in the wake of its massive credit card breach.
Deborah Baxley, Principal at Capgemini, and an active member of Princeton, N.J.-based Smart Card Alliance, sees EMV (Europay, MasterCard and Visa) enablement of the POS infrastructure as a positive step for the retail community. “While EMV doesn’t offer 100 percent protection from security attacks, it will greatly reduce vulnerabilities, because EMV cards store payment information in a secure chip rather than on a magnetic stripe,” Baxley said. “A counterfeit EMV card that is stolen from a database will fail because the issuer will recognize it as a chip card, and not a magnetic stripe card.”
Baxley mentioned that merchants who migrate to EMV ahead of the Oct. 1, 2015, deadline will be further protected from financial liability in the event of a costly data breach. She stressed the need for all payments industry stakeholders to work together to correct vulnerabilities in older legacy infrastructures and protect the integrity of payment card processing systems.