The point of sale (PoS) systems at Eddie Bauer retail stores across North America were infected with malware between January 2, 2016 and July 17, 2016, the clothing store chain announced on Thursday.
As soon as it learned about the breach, the clothing and recreational outfitter launched an investigation which found that customers who made purchases from the chain’s retail stores between January 2, 2016 and July 17, 2016 might have been impacted. Eddie Bauer operates over 350 retail stores in Canada and the United States.
The malware used in the attack enabled hackers to access payment card account information, the company revealed in an announcement. The compromised details include cardholder name, payment card number, security code, and expiration date.
According to the announcement, not all cardholder transactions during the infection period were affected by the malware. Moreover, the company underlined that only retail stores were affected and that customers who made purchases online at eddiebauer.com didn’t have their payment card information stolen in the attack.
What the company hasn’t revealed, however, was information on the malware used to breach the payment system and how attackers managed to compromise the network. However, the clothing store chain did say that the malware breach was part of a “sophisticated attack directed at multiple restaurants, hotels, and retailers.”
Over the past several months, numerous restaurants and hotels were hit by similar attacks, including Noodles & Company, Kimpton Hotels & Restaurants, Hard Rock Hotel & Casino, Wendy’s, Omni Hotels, and Cicis, but no information on these incidents being related has been provided as of now. Most recently, HEI Hotels & Resorts informed customers on a payment card breach.
In an open letter to the company’s customers, Eddie Bauer CEO Mike Egeck notes that the incident has been “fully identified and contained.” The store chain is conducting a “comprehensive review of our IT systems to incorporate recommended security measures in order to strengthen them and prevent this from happening again,” Egeck’s letter reads. The company is also working with the FBI to identify the perpetrators.
Eddie Bauer is also notifying the customers who might have had their payment card information stolen in this attack. The company says that it has already notified payment card networks on the matter, so that they could work with card issuing banks to monitor the accounts of impacted customers for fraudulent activity.
Speaking of retailers’ ability to prevent such attacks, John Christly, CISO, Netsurion, told SecurityWeek in an emailed comment that retailers of all sizes need better tools combined with increased cyber intelligence.
“Gone are the days when a typical firewall could be set up once and run without constant monitoring, tweaking and ensuring the data coming from it was correlated with other systems,” Christly said. “Some of these breaches may look like normal web traffic coming out of the firewall, and other attacks can even seem like legitimate DNS traffic, which may pass right by the typical un-managed firewall. It takes a different approach to stop some of these advanced attacks, and many products and service providers simply do not have the ability to stop them before they do real damage.”
Ideally, Christly says, retailers should use advanced tools such as file integrity monitoring, unified threat management appliances, security information and event management, and next-generation endpoint security solutions.