Slashdot Mirror

← Back to Stories (view on slashdot.org)

Staples: Breach May Have Affected 1.16 Million Customers' Cards

Posted by timothy on from the your-name-here dept.

mpicpp writes with this excerpt from Fortune: Staples said Friday afternoon that nearly 1.16 million customer payment cards may have been affected in a data breach under investigation since October. The office-supply retailer said two months ago that it was working with law enforcement officials to look into a possible hacking of its customers' credit card data. Staples said in October that it had learned of a potential data theft at several of its U.S. stores after multiple banks noticed a pattern of payment card fraud suggesting the company computer systems had been breached. Now, Staples believes that point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers' names, payment card numbers, expiration dates and card verification codes, Staples said on Friday. At all but two of those stores, the malware would have had access to customer data for purchases made between August 10 and September 16 of this year. At the remaining two stores, the malware was active from July 20 through September 16, the company said.

16 of 97 comments (clear)

  1. Honestly by Anonymous Coward · · Score: 5, Insightful

    I'm beginning to believe no one has a fracking clue about IT security, that no one understands that security is a process, not a product, that audits are conducted weekly, monthly, yearly with documentation to show findings, changes, what works, what doesn't.

    I'm honestly thinking about taking cash from the bank and using that for all my purchases -- using the Dave Ramsey envelope technique I used to get out of debt a decade ago -- until the people that run these companies get a clue about how to run a business with a modicum of common sense. If Walmart can keep safe, anyone can. Really.

    1. Re: Honestly by Anonymous Coward · · Score: 2, Funny

      Hope you never have a run-in with a civil forfeiture traffic stop.

  2. Quote from the hackers by ArcadeMan · · Score: 4, Funny

    That was easy.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  3. Re:One number to breach them all by dltaylor · · Score: 3

    "I can only think the reason it hasn't been fixed is because fraud makes the banks money"

    No, the reason is that the CTO/CFO/CIO/Cxo don't go to jail for criminal negligence.

  4. Re: Neener by DigitAl56K · · Score: 2

    Or Google Wallet.

    Let's not credit Apple alone with a solution when there are at least two major players in that market both encompassing a large install base and indeed Apple bringing their solution to the table much later.

  5. Re: Neener by Applehu+Akbar · · Score: 2

    Both schemes are just part of the NFC standard, which has worldwide support. The problem with Google Wallet in favor of Apple Pay is that GW requires sharing customer data with Google. Better hope there isn't a breach. GW also requires the user open an app on his device and enter a PIN. AP just comes up when you touch an iPhone to the point-of-sale terminal, and authenticates with your thumbprint.

  6. Network Level by Cytotoxic · · Score: 4, Insightful

    It seems that these POS systems should be more restricted at the network level. In our communications with our banking partners we have single IP address access to the communication server - among other measures (well, dual actually in some cases.... in case of system outages). Only specific IP addresses using specific ports are allowed to traverse the network to even reach the machine. That's before you even start talking about any real security measures.

    If that were in effect for the POS systems, the malware would dump its payload down a black hole unless it also compromised the routers along the way. Maybe that's asking a little much for a bunch of retailers, but it is pretty simple to implement.

    1. Re:Network Level by Todd+Knarr · · Score: 2

      There should be more isolation, yep. When I handled POS the terminals had no local storage at all, they were network booted from images on the site server and the LAN they were on had no outside access at all. The site servers were on our own wide-area network that connected them to corporate, and there were only two network segments (Development and Support) that could connect to the site servers (sites couldn't even connect to each other). Access to the Dev and Support networks from the rest of the company was highly restricted, and any unexpected access from Dev or Support netted you a phone call and/or an in-person visit from the support manager to find out what had blown up.

      I can think of ways to get malware out to the POS system through all that, but all of them involve physically being in the basement of the corporate headquarters where the Support and Development department offices were located and any unknown face would've had to avoid 2 managers and 3 secretaries before being grabbed by the scruff of the neck by Cory and hustled back upstairs (because if Cory didn't recognize you you were not supposed to be down there).

    2. Re:Network Level by bmo · · Score: 2

      Otherwise it's potentially just a matter of inserting a tiny reprogramable USB stick when there are few cashiers on and the cashier who is on isn't looking for a few seconds (ie two people walking into a Staples store can pull this off really easily).

      Indeed, so much this.

      I've seen open USB ports on all sorts of POS terminals and it just boggles my mind, especially because I've been in industrial environments in small companies where hot-gluing USB ports shut is a matter of course.

      You can buy a USB flash drive that sits almost flush and if you take a little bit of elbow-grease and sandpaper, you can get it to sit flush easily.

      So I don't see how big companies like Staples, who have the actual budget to look at security this way, don't even bother to do the basics like this. It's time we start fining/class action lawsuit-ing firms that don't even do the least bit of security, with amounts of money that actually hurt and not take "5 minutes of profits" to pay.

      --
      BMO

  7. Re:I think it's about time... by plover · · Score: 4, Informative

    I think it's about time we implemented some sort of single use credit card system.

    That's how Chip and PIN works. Your account number is still fixed, but your authorization to spend from it (your PIN) is encrypted by the chip, and is valid only for a single transaction. There are still kinks with non-electronic transactions, but those can be solved.

    Look for it to be all over the US by October of next year.

    --
    John
  8. Re:Would this solution stem these unending breache by lucm · · Score: 4, Insightful

    It's not a case of a data center being hacked and data at rest being stolen. When the POS is compromised (which is how most of these incidents happen, it was the same with Target) it's more insidious. It's like having someone install a keylogger on your computer - it does not matter how your password is stored on the backend if the password can be obtained while you type it.

    The issue is how casual some organizations are about their POS security. If they were to adopt a "need to know" approach as opposed to a "whatever is convenient" approach these incidents would not have the same impact.

    --
    lucm, indeed.
  9. store list by CrAlt · · Score: 4, Informative

    Here is the list of stores

    http://staples.newshq.business...

    --
    I have to return some videotapes...
  10. Re:One number to breach them all by plover · · Score: 4, Informative

    I can only think the reason it hasn't been fixed is because fraud makes the banks money and they love seeing stories like this.

    Well, you would be very wrong. Fraud costs both the retailers and the banks money. The real problem is that issuing new chip cards would cost the banks more than the fraud. Not only are the cards about a dollar more expensive each, and they still have to be re-issued about every three years, but the systems that inject encrypted keys into them, and store the keys on their databases, are very expensive. Banks are notoriously cheap when it comes to spending money that won't make them money.

    The other reason EMV hasn't rolled out across the U.S. is that millions of retailers have about 12 million old credit card terminals spread across the country, and most are owned by cheap store owners who don't like being told they have to spend money to replace them. Most retailers have been dragging their feet, not wanting to make an expensive change. But the new members of the breach-of-the-month club are mad about the insecure systems they've been forced to use, and are now championing the rapid switch to EMV instead of fighting it. The smaller retailers are also impacted now, and are no longer resisting.

    The irony is that EMV readers for the small retailers are far, far cheaper than the old terminals, and the rates for using new companies like Square, Intuit, and PayPal are much lower than the typical old bank rates for the old credit card readers.

    --
    John
  11. Re:Staples outsourcing prime factor in PCI breache by WindBourne · · Score: 2

    The problem is, that they are no different than any of the others that have been cracked. Every last one of them is running windows and have outsourced to India. Now, 30 years ago, when considering security clearences, payrolls were looked at. Why? Because if somebody was on clearence and had too low of a salary, they could be bought.
    Well, the Indian coders are paid less than $10K / year back in India. All it takes is somebody from china, Russia, North Korea, Venezuela, Iran, etc to offer just ONE of them 100k (or 10 years worth of their salaries) to release a bug in the production systems. Of course, it is happening.
    This is how and why these companies are getting cracked. What is really needed is for customers and banks to SUE these companies, and NOW. And not just the company, but the CIO and CEO for putting their data at this much risk. Once CEO/CIOs are looking being held personally responsible for their actions, well, things will change.
    Issue solved.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  12. Why? It would not matter. by WindBourne · · Score: 2

    Look, the problem here is that ALL OF THESE COMPANIES THAT WERE CRACKED have 3 things in common:
    1) they run windows.
    2) they outsourced to India.
    3) the company is not allowed to operate in India.

    Basically, Indians are being bought off to leave backdoors on the production system.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  13. Re: Neener by Applehu+Akbar · · Score: 2

    An app is opened, but by the Apple Pay hardware rather than by the user. This keeps the interface simple and does not require any daemon in the OS; the user just pulls out her phone, touches it to the cash register, and authenticates with a designated fingerprint until a 'Done' checkmark pops up. Other schemes require the user to turn on the phone, go into a specified app, and enter a PIN.

    The ACH transfer scheme being pushed by Walmart also requires that the user scan a QR code that is generated by the cash register as a challenge/response sequence. By this time, the other people in line at the register are starting to cough and shuffle their feet while the user wonders why he didn't just pull out his credit card to begin with. Small wonder that Walmart's scheme (which, because it also requires a central database of user information, has already been hacked) is so unpopular even in beta that chains using the system have been ordered to turn off NFC entirely to stop wholesale defection. This locks out all NFC vendors, including Google and all those European and Asian visitors who had been happy to hear that American retailers were finally about to exit the twentieth century.