Slashdot Mirror

← Back to Stories (view on slashdot.org)

Staples: Breach May Have Affected 1.16 Million Customers' Cards

Posted by timothy on from the your-name-here dept.

mpicpp writes with this excerpt from Fortune: Staples said Friday afternoon that nearly 1.16 million customer payment cards may have been affected in a data breach under investigation since October. The office-supply retailer said two months ago that it was working with law enforcement officials to look into a possible hacking of its customers' credit card data. Staples said in October that it had learned of a potential data theft at several of its U.S. stores after multiple banks noticed a pattern of payment card fraud suggesting the company computer systems had been breached. Now, Staples believes that point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers' names, payment card numbers, expiration dates and card verification codes, Staples said on Friday. At all but two of those stores, the malware would have had access to customer data for purchases made between August 10 and September 16 of this year. At the remaining two stores, the malware was active from July 20 through September 16, the company said.

7 of 97 comments (clear)

  1. Honestly by Anonymous Coward · · Score: 5, Insightful

    I'm beginning to believe no one has a fracking clue about IT security, that no one understands that security is a process, not a product, that audits are conducted weekly, monthly, yearly with documentation to show findings, changes, what works, what doesn't.

    I'm honestly thinking about taking cash from the bank and using that for all my purchases -- using the Dave Ramsey envelope technique I used to get out of debt a decade ago -- until the people that run these companies get a clue about how to run a business with a modicum of common sense. If Walmart can keep safe, anyone can. Really.

  2. Quote from the hackers by ArcadeMan · · Score: 4, Funny

    That was easy.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  3. Network Level by Cytotoxic · · Score: 4, Insightful

    It seems that these POS systems should be more restricted at the network level. In our communications with our banking partners we have single IP address access to the communication server - among other measures (well, dual actually in some cases.... in case of system outages). Only specific IP addresses using specific ports are allowed to traverse the network to even reach the machine. That's before you even start talking about any real security measures.

    If that were in effect for the POS systems, the malware would dump its payload down a black hole unless it also compromised the routers along the way. Maybe that's asking a little much for a bunch of retailers, but it is pretty simple to implement.

  4. Re:I think it's about time... by plover · · Score: 4, Informative

    I think it's about time we implemented some sort of single use credit card system.

    That's how Chip and PIN works. Your account number is still fixed, but your authorization to spend from it (your PIN) is encrypted by the chip, and is valid only for a single transaction. There are still kinks with non-electronic transactions, but those can be solved.

    Look for it to be all over the US by October of next year.

    --
    John
  5. Re:Would this solution stem these unending breache by lucm · · Score: 4, Insightful

    It's not a case of a data center being hacked and data at rest being stolen. When the POS is compromised (which is how most of these incidents happen, it was the same with Target) it's more insidious. It's like having someone install a keylogger on your computer - it does not matter how your password is stored on the backend if the password can be obtained while you type it.

    The issue is how casual some organizations are about their POS security. If they were to adopt a "need to know" approach as opposed to a "whatever is convenient" approach these incidents would not have the same impact.

    --
    lucm, indeed.
  6. store list by CrAlt · · Score: 4, Informative

    Here is the list of stores

    http://staples.newshq.business...

    --
    I have to return some videotapes...
  7. Re:One number to breach them all by plover · · Score: 4, Informative

    I can only think the reason it hasn't been fixed is because fraud makes the banks money and they love seeing stories like this.

    Well, you would be very wrong. Fraud costs both the retailers and the banks money. The real problem is that issuing new chip cards would cost the banks more than the fraud. Not only are the cards about a dollar more expensive each, and they still have to be re-issued about every three years, but the systems that inject encrypted keys into them, and store the keys on their databases, are very expensive. Banks are notoriously cheap when it comes to spending money that won't make them money.

    The other reason EMV hasn't rolled out across the U.S. is that millions of retailers have about 12 million old credit card terminals spread across the country, and most are owned by cheap store owners who don't like being told they have to spend money to replace them. Most retailers have been dragging their feet, not wanting to make an expensive change. But the new members of the breach-of-the-month club are mad about the insecure systems they've been forced to use, and are now championing the rapid switch to EMV instead of fighting it. The smaller retailers are also impacted now, and are no longer resisting.

    The irony is that EMV readers for the small retailers are far, far cheaper than the old terminals, and the rates for using new companies like Square, Intuit, and PayPal are much lower than the typical old bank rates for the old credit card readers.

    --
    John