Better detection, oversight advised in wake of HBC breach

Hudson's Bay Co. is the latest high-profile retailer to report a data security breach. The Toronto-based company issued a statement April 1, 2018, confirming its Saks Fifth Avenue, Saks Off 5th and Lord & Taylor brands are being investigated for unusual payment card activity. The company's ecommerce and digital platforms do not appear to have been affected. Impacted individuals will be offered free identity protection, credit and web monitoring services and dedicated call center assistance, company representatives stated.

Security analysts believe hackers slipped in undetected via HBC's POS systems. Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, estimates as many as 6 million U.S. and 1 million European and Asian consumer credit card account details may have been affected. He noted that a recent similar operation targeted similar stores and stole data for about 3 million credit cards between May and December 2017. "All of these breaches seem to have utilized a point-of-sale malware that intercepts credit card transactions, records them onto a local file, encrypts them and then sends the encrypted information to its command-and-control server," he said.

Hahad emphasized two takeaways from the HBC incident: data breaches are inevitable, and hackers can escape detection for lengthy periods. He urged organizations to prioritize detection over prevention. "Most breach prevention methods have to take a quasi-instantaneous decision on allowing or blocking traffic and there is just not enough time to make a bulletproof determination," he added. "Organizations have to allocate budgets specific to detection, which utilize all network assets to detect post-infection indicators, such as command-and-control communication as well as analytics-based solutions, which are more capable of identifying low and slow types of attacks [that] spread over time."

10 recommended best practices

Eric Luke, senior director, forensic investigations at Security Metrics, has seen companies employ advanced technologies without properly configuring them. "The most advanced POS systems may use chip and PIN or point-to-point encryption, but criminals are finding ways to get around them," he said. "One common vulnerability is leaving a device in debug mode, which clearly displays encrypted payment card data."

Luke recommends the following additional 10 precautions to protect against cyber threats:

1. Run the latest OS, and use only device-supported software. You may not always be able to get the latest upgrade but install patches as soon as they become available.

2. Update, update, update. The frequency of reported vulnerabilities has increased the number of patches that need to be installed. For example, websites had a 10-hour window to install the "Drupalgeddon" patch to avoid becoming permanently compromised, he noted.

3. Use a virtual private network when connecting to untrusted or public networks, to encrypt data and protect against man-in-the-middle attacks.
4. Monitor network traffic. "If your operating system is susceptible, you can still monitor and control what goes out of your network," Luke said. "If you know there haven't been recent system updates and find a file has been created, you know something's wrong."

5. Protect data. Share only minimum required personal information when online.

6. Improve password protection.Avoid using the same password on multiple sites. Invest in a password manager to generate more complex passwords.

7. Scrutinize credit card statements. Review credit card statements monthly or daily, according to your individual risk tolerance, Luke said. Any suspicious activities will be easy to spot.

8. Install fraud alerts. Credit card companies offer free fraud alerts and monitoring to block suspicious activities and fraudulent transactions, he noted.

9. Implement multilayered security. "Staying offline is the best way to prevent cyberattacks, but when we have to be connected, we need multi-layered security," Luke stated. "PCI DSS, patches and firewalls create individual layers that help us see what's going on, from a resource and time standpoint."

10. Balance machine, human oversight. "Machines catch alerts that humans miss, and human eyes catch anomalies that machines miss," he stated.

HBC representatives said the company will provide updates on the ongoing data breach investigation on these websites: www.saksfifthavenue.com/security-information/notice.html , www.saksoff5th.com/security-information/notice.html , and www.lordandtaylor.com/security-information/notice.html .

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.