The office supply chain Staples is investigating a potential breach of credit card data. According to Mark Cautela, Staples’ senior public relations manager, “Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement. We take the protection of customer information very seriously, and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”
Security specialists believe the hackers are using a form of the same malicious software, Backoff, used in the Target and Home Depot assaults, among others.
The malware, Backoff, made headlines this past summer. According to Crosman (2014), “One of millions of malware mutations out there, Backoff tries to break into point-of-sale networks and steal credit card data; 600 retailers have reportedly been hit.” Crosman adds that the concerns about Backoff surface as cyber-attacks against financial institutions and retailers are growing more frequent, more sophisticated, and more widespread. Many banks have recently fallen victim to “masquerading,” a combination of social engineering and confidence scam that uses high-tech tools and generally results in wire transfer fraud. Backoff-like malware is said to have been behind several recent high-profile retailer breaches, including those at Target, P.F. Chang’s, Neiman Marcus, Sally Beauty Supply and Goodwill Industries.
“Enterprises are now coming to the conclusion that they are either already compromised, or will soon be,” says Aviv Raff, CTO at APT defense firm Seculert. “It’s not a matter of ‘if,’ it’s a matter of ‘when.’ The breach shows the necessity of moving from trying to prevent an attack to try and detect and respond as quickly as possible.”
In August, the U.S. Secret Service warned that 1,000 U.S. businesses may have been infected by Backoff malware, although at that time, only a handful of related breaches had come to light. The same month, the Department of Homeland Security issued a warning to all businesses that use POS systems, urging them to scan their systems for signs that they’d been compromised.
Crosman, P. (2014). How ‘Backoff’ malware works and why banks care. Retrieved from http://www.americanbanker.com/issues/179_149/how-backoff-malware-works-and-why-banks-should-care-1069180-1.html
Schwartz, M.J. (2014). Staples launches breach investigation. Retrieved from http://www.govinfosecurity.com/staples-launches-breach-investigation-a-7459
Weise, E. (2014). Staples in Northeast likely breached with ‘more to come’. Retrieved from http://www.usatoday.com/story/tech/2014/10/21/staples-breach-northeast/17663941/