The Green Sheet Online Edition
December 22, 2014 • Issue 14:12:02
Bebe breach a reminder of security vulnerabilities
Cyber Week 2014 unleashed big deals and bigger threats in the omni-channel retail environment, where emerging consumer trends and a rash of high-profile security breaches have altered the holiday shopping playing field.
The latest breach at Bebe Stores Inc., initially reported by KrebsOnSecurity Dec. 4, 2014, and confirmed by Bebe the following day, involved cybercrime operation Goodshop, which was selling counterfeits of cards used at Bebe stores Nov. 18 through 28, according to Krebs' bank sources. The number of consumer accounts affected has not yet been determined.
Observers have noted that U.S. consumer confidence in data security was already at historic lows directly prior to the holiday season. In a report published Oct. 21, 2014, San Diego-based Identity Theft Resource Center disclosed that 621 data breaches occurred in 2014, affecting more than 77 million customers.
Other high-profile breaches include last holiday season's attack on Target Brands Inc., which involved data pertaining to 40 million credit and debit cards, and the more recent The Home Depot Inc. intrusion, in which 53 million email addresses and 56 million cardholder accounts were compromised. Additional notable breaches occurred at Kmart, Michael Stores Inc., Sears Holdings Corp., Dairy Queen, Staples, Goodwill, Neiman Marcus, JPMorgan Chase, Verizon, and EA Games.
Findings by Princeton Research Associates on behalf of CreditCards.com confirmed that 45 percent of consumers would not shop at any of the retail stores that had been breached; 48 percent would use only cash throughout the holiday season.
Analysts give retailers mixed reviews
Consumers have been doing more shopping on smartphones and tablets, creating more entry points for hackers and a new set of challenges for information technology (IT) professionals throughout the retail and payments industries.
About the Bebe breach, Steve Hultquist, Chief Evangelist at security analytics company RedSeal, said, "Breaches of credit card data are now so widespread that cybersecurity experts refer to the 'breach of the week.' While details of this breach are sparse, it appears to be another example of point of sale malware capturing scanned card information and sending it to data collection receptacles.
"This approach underscores the requirements of a successful breach: initial access into a network to place the malware, vulnerable systems on which to place it, vulnerable systems to use as data collection points, and outbound access from the network to external data repositories. There are enough steps in the attack that automated analysis of the entire network is a critical and necessary defense.
"Leaving to reactive technologies the task of defending the organization without even knowing that they are properly placed within the network leaves the organization open to persistent attack. It is time for organizations to move beyond passive reactive defenses to active preventative technology."
Companies that have experienced data breaches are generally considered to be safer after the intrusions due to their remedial activities and protections, but security analysts have found that is not always the case. Cambridge, Mass.-based BitSight Technologies, which evaluates threat detection procedures, downgraded 58 percent of its retail clients in 2014, citing sub-par security infrastructures.
In a Nov. 18 report that scrutinized 300 retailers, BitSight drew conclusions that do not come as a surprise: the retail sector is still under wide scale attack, retailers breached in the last year have seen improvement, securing the supply chain remains a big challenge, and infection through malware, viruses, etc. is increasing in almost all threat vectors. More information from the report can be found at http://info.bitsighttech.com/retail-security-performance-2014.
Good fences not enough
New York-based SecurityScorecard, a security analytics company, provides real-time intelligence to enterprise-scale client organizations. Chief Executive Officer and co-founder Aleksandr Yampolskiy said that legacy security systems such as firewall and perimeter protection methods increase retailers' risk of data breaches.
Yampolskiy suggested that implementing real-time analytics and having better communication within the retail community would help "fight the bad guys and [improve best practices by] getting better at sharing information with each other."
James Nunn-Price, a partner and cyber lead at Deloitte Consulting LLP's UK office, said that complex IT infrastructures require equally complex security strategies that go beyond the traditional practice of perimeter protection.
Most organizations have "multiple perimeters of different strengths, and effort must move to managing the internal threat to detect what is happening within the [organization]," Nunn-Price said.
Other experts agree that today's increased connectivity has rendered perimeter protection and similar legacy practices obsolete. Peter Vlissidis, Technical Director at NCC Group, suggested that bring-your-own-device and cloud computing trends have made it imperative for organizations "to think about how information is structured and flows through not just their own networks, but the whole cyber world."
No happy holiday for Bebe
Meanwhile, instead of focusing exclusively on its holiday season sales strategies, Bebe is mopping up after a breach. As many as 174 Bebe stores and 35 outlet stores located in the United States, Puerto Rico and the U.S. Virgin Islands may have been affected. The retailer maintained that no online transactions were affected, and, in a prepared statement, Bebe CEO Jim Wiggett said, "We moved quickly to block this attack and have taken steps to further enhance our security measures."
Analysts have begun to comment on the breach, based on the limited amount of information available. Eric Chiu, co-founder and President of cloud control company HyTrust, stated, "A year has gone by since the Target breach with no end in sight – major breaches are happening more often with the most recent victim being Bebe, on the heels of Home Depot, Sony, eBay and many others."
Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, said, "It looks like the payment systems for [Bebe's] U.S. stores were attacked, meaning that most likely they were all using the same software/hardware that had the same vulnerability. Unfortunately, without additional technical explanations, exactly what was vulnerable on those systems will remain a secret, and we can only hope that the same vulnerability isn't going to be used against another retailer.
"Not only are these attacks getting bigger where attackers are able to siphon off massive amounts of data from the inside, but also the consequences are getting much larger with recent court rulings allowing banks to sue Target for its breach in 2013. The stakes are high for both companies and consumers – security has to be the top priority."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.