Malware Infected All Eddie Bauer Stores In US, Canada

New submitter alir1272 quotes a report from Krebs On Security: Clothing store chain Eddie Bauer said today it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of 2016 may have been compromised in the breach. The acknowledgement comes nearly six weeks after Krebs On Security first notified the clothier about a possible intrusion at stores nationwide. "The company emphasized that this breach did not impact purchases made at the company's online store eddiebauer.com," reports Krebs On Security.

Good thing I don't shop there...

Overpriced, snooty-assed brand...

Re:Good thing I don't shop there...

We get it. You're poor. That doesn't mean the rest of us aren't looking for quality merchandise that will get us laid.

Re:Good thing I don't shop there...

[thesupraman]

We get it, You're ugly, That doesnt mean the rest of us need overpriced junk that will get us laid. ;)

Re:Good thing I don't shop there...

[guyniraxn]

They have sales about every other month and the clothes are pretty decent in terms of quality. I don't think "snooty" is accurate either, in modern parlance they'd be considered "basic."

Really?

[drew_92123]

Is Eddie Bauer still a thing? I remember checking that place out years ago and never went back, nothing but a bunch of overpriced garbage.

Re:Really?

[Nidi62]

Is Eddie Bauer still a thing? I remember checking that place out years ago and never went back, nothing but a bunch of overpriced garbage.

Eh, I buy Eddie Bauer t-shirts at Sam's for about $8 each. They aren't too bad. Not sure what they would cost at an actual Eddie Bauer store though.

Re:Really?

[ITRambo]

Apparently with no competent IT department either.

Re:Really?

[cdrudge]

Not sure what they would cost at an actual Eddie Bauer store though.

Judging from their website, at least $25.

Re:Really?

[parkinglot777]

Eh, I buy Eddie Bauer t-shirts at Sam's for about $8 each. They aren't too bad. Not sure what they would cost at an actual Eddie Bauer store though.

Cheapest T-shirt costs $20~$23 on their web site. I am sure they are made-in-China which would cost them a couple dollars including shipping. $8 is still more expensive than other T-shirts (no name brand) I could find in Walmart. :p

Re:Really?

[JustAnotherOldGuy]

I go to SE Asia once or twice a year and buy 10 or 20 t-shirts at $2 to $3 apiece. Same exact shirts you'll find in any major stores in the US, but bought locally a few kilometers from the source factory.

I give some away (they have logos and stuff) but the rest I keep, so I now have a lifetime supply of t-shirts, lol.

On another note, it's an incredible sight to see a couple thousand of the young Asian lady workers all exiting the factory en masse at the end of the day and riding back home on near-identical bikes.

during the first six months of 2016

[ddtmm]

...credit and debit cards used at those stores during the first six months of 2016 may have been compromised in the breach.

How is it that it went undetected by credit card companies and banks for so long? Surely they should have detected a pattern. I've always wondered why credit card companies don’t seem to care about fraud. It's like they have no interest in getting to the bottom of it.

Re:during the first six months of 2016

[HungryMonkey]

Six months is probably from the oldest infected file date. Given that it was at every location, there is a good chance they didn't do anything with the information obtained until it has spread across the network. And even then, they may have let it sit and gather data for a while before they sold anything on the assumption that once they started to act it wouldn't take long to be shut down.

Re:during the first six months of 2016

[tomhath]

FTFA

On July 5, 2016, KrebsOnSecurity reached out to Bellevue, Wash., based Eddie Bauer after hearing from several sources who work in fighting fraud at U.S. financial institutions. All of those sources said they’d identified a pattern of fraud on customer cards that had just one thing in common: They were all recently used at some of Eddie Bauer’s 350+ locations the U.S. The sources said the fraud appeared to stretch back to at least January 2016.

How is it that the article says they did detect a pattern but you didn't notice it? Surely you read the article before posting a question like that.

Re:during the first six months of 2016

I've always wondered why credit card companies don’t seem to care about fraud. It's like they have no interest in getting to the bottom of it.

That's because credit card companies HAVE NO INTEREST in getting to the bottom of it. When cards are used fraudulently, the bank is only liable for the cost of a replacement card and some postage. The cost of fraud is largely on merchants who accepted the cards and had chargebacks from the real customers.

Re:during the first six months of 2016

[JustAnotherOldGuy]

GP obviously lives in a basement and has never had a girlfriend.

When women shop they don't go to just one store and buy what they need. They go to dozens of stores, buy stuff, then return most of it. Then they go to more stores and buy more stuff.

This is soooooooooo true. Painfully true.

I have heard that in the US that ~70% of all returned merchandise is returned by women. Don't know if it's an accurate number but it sure sounds about right.

Re:during the first six months of 2016

[PPH]

Surely you read the article before posting ...

I'm beginning to detect a pattern here.

Re: during the first six months of 2016

[bestweasel]

My question is why was it KrebsOnSecurity who told Eddie Bauer they had a problem and not the banks and cc companies?

On July 5, 2016, KrebsOnSecurity reached out to Bellevue, Wash., based Eddie Bauer after hearing from several sources who work in fighting fraud at U.S. financial institutions. All of those sources said theyâ(TM)d identified a pattern of fraud on customer cards that had just one thing in common: They were all recently used at some of Eddie Bauerâ(TM)s 350+ locations in the U.S. The sources said the fraud appeared to stretch back to at least January 2016.

A spokesperson for Eddie Bauer at the time said the company was grateful for the outreach but that it hadnâ(TM)t heard any fraud complaints from banks or from the credit card associations.

malware, malware, everywhere malware...

these sorts of things simply didn't happen when the credit card machines were hooked directly up to a phone line. swipe, authorize, print, sign, done.

the same thing COULD still be done with the "new" chip cards (chip and sign, chip and pin, or debit or gift card for that matter), if merchants and credit card companies weren't so fucking clueless.

yes, they still make those devices, and yes, the new ones do the new cards and some can even still do dial-up.

merchants should be 100% accountable for every single bit of stolen credit card details, because it is they who choose the less-secure pc-based credit card processing. and i'd even go one farther to say they may even be *criminally negligent* because a more secure method that does not require their own handling of credit card information has existed for *decades*

A great disturbance

[JustAnotherOldGuy]

And ten million hipsters cried out in terror, as if there had been a great disturbance in the supply of flannel lunberjack shirts.

"may have been" lol

[JustAnotherOldGuy]

"...credit and debit cards used at those stores during the first six months of 2016 may have been compromised in the breach"

I set fire to your house and burned it to the ground. There may have been some smoke damage.

Re:And right away

[JustAnotherOldGuy]

Topo Gigio!

Oy, I'm old. :(

Re:And right away

[Ol+Olsoc]

Topo Gigio!

Oy, I'm old. :(

TaDAH!!!! You win. I was just a kid at the time, but I remember old Topo.

I can add something fun to this story

[slashmydots]

I personally know some of the IT workers at Eddie Bauer and they're incompetent morons that have no business working in IT. They have impressive resumes and absolutely no practical, real-world IT skills whatsoever. I was going to pursue a job there but after looking into it, I didn't even bother applying.

They still have stores?

[Sir+Holo]

I thought that Sears bought the Eddie Bauer Brand about 7 years ago, and were going to integrate those products into their regular stores.

News for Nerds: Eddie Bauer still has over 350 brick-and-mortar stores in North America.

Who knew? Where should we go for our khakis now?

Re:cash

[bill_mcgonigle]

Just use cash and not worry about it

I've reverted to using cash for most things for precisely this reason. IT sucks everywhere.

windows and offshoring.

[WindBourne]

yes, Eddie, like nearly all those that have been cracked, runs windows and outsourced to India, some parts. I'm not certain, where, but I will put money down, that India has access to the POS and handle the Sys. Ad.
Some of you will scream that this is racists. You are right, but not on my part, but on yours.
The fact is, that when you pay somebody 1/10 of what you pay normally, and you have enemies that have easy access to these employees, well, all they have to do is offer 10-20x what you were paying. IOW, these companies are paying Indians below $10,000 due to India manipulating their money downwards.
Now, Russians who have easy access to India, come along and offer various indians $100,000 to leave a back door, at which point, the Russians will put in a NEW backdoor and remove the old one.
What is crazy is that fact that so many ignore this situation. And it is easy to spot. Just got to get over your racists attitude and simply copy the VPN streams from India.