Eddie Bauer, an outdoor apparel retailer based in Bellevue, Washington, has warned customers in mid-August that point-of-sale (POS) malware infected its retail store systems for "various dates" over a six-month period before the malware was discovered and eradicated.
Eddie Bauer is owned by San Francisco-based private equity firm Golden Gate Capital and counts about 360 stores in the United States and Canada that were affected by the breach, and about 40 stores in Germany, Japan, and Southeast Asia that were not.
The company's breach notification suggests that every one of its North American stores may have been affected by what it claimed to be a "sophisticated attack." But the breach notification does not detail how many customers may have had their payment card compromised via the data breach, although the retailer says it is reaching out directly to customers who might have been affected, "by mail, a press release, and a website."
"We determined that customers' payment card information used at our retail stores on various dates between January 2, 2016 and July 17, 2016, may have been accessed," says Eddie Bauer CEO Mike Egeck in an August 18 letter to customers. "Not all cardholder transactions during this period were affected. Payment card information used online at eddiebauer.com was not affected."
Eddie Bauer said attackers obtained cardholder names, payment card numbers, security codes and expiration dates for customers who bought or returned products. The retailer did not immediately respond to a request for comment about how it discovered the breach or what type of point-of-sale (POS) malware was used against it. But on July 5, the retailer told security blogger Brian Krebs, who heard reports of potential fraud at the retailer from several U.S. financial institutions, that it was not aware of any breach.
Egeck said that in the wake of the retailer learning it had been breached, it "immediately initiated a full investigation with third-party digital forensic experts to identify and contain the attack as quickly as possible" and also alerted the FBI. The retailer says the breach has now been contained.
"Out of an abundance of caution, we are offering identity protection services to all customers who made purchases or returns in our stores between January 2, 2016 and July 17, 2016," Egeck says, via Kroll.
Yet Another POS Malware Campaign
The retailer said that during the course of its investigation, it found that the same malware had been used to infect other organizations that use POS devices. "We learned that the malware found on our systems was part of a sophisticated attack directed at multiple restaurants, hotels, and retailers, including Eddie Bauer," Egeck says. "We are conducting a comprehensive review of our IT systems to incorporate recommended security measures in order to strengthen them and prevent this from happening again."
Security experts say that while different cybercrime gangs may employ different types of POS malware, most of it is functionally identical, unsophisticated and could be better blocked if retailers changed default passwords on their POS devices and used segmentation to better isolate POS systems.
While the appearance of any new type or variation of attack code triggers alarm in financial services and retail circles, Charles Henderson, vice president of managed security testing at information security firm, Trustwave, says there's a bigger problem than the POS malware du jour. Too many retailers use POS devices without changing their default passwords or running them via segmented networks, which makes such devices easy to infect with remotely controllable malware.
"This is not some ninjas coming through the ceiling on ropes, putting malware on your point of sale in the dead of night," Henderson says. "These are fairly easy attacks that could be prevented in many cases."