WASHINGTON — The Department of Homeland Security estimates that over 1,000 U.S. businesses have been infiltrated by malicious point-of-sale software, significantly broadening the scope of known cyber attacks that hit Target and Neiman Marcus stores in the past year and thrust the issue into the national spotlight, spawning several Congressional probes and hearings.
In an advisory released Friday, the federal agency notified companies about the expanded scope of data security breaches and urged them to “proactively check for possible point-of-sale malware infections.”
Seven POS systems providers or vendors have confirmed security breaches, which have affected “multiple” clients, the agency said.
“Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 businesses are affected,” said the agency.
The agency said one particular family of malware, dubbed “Backoff,” was detected in October 2013 but was not recognized by antivirus software solutions until this month, and has “likely infected many victims who are unaware that they have been compromised.”
The National Cybersecurity and Communications Integration Center and U.S. Secret Service issued an advisory on July 31 regarding “Backoff” POS malware that officials said was “exploiting” business payment systems remotely and stealing consumer payment data.
Federal officials said the malware has the ability to scrape memory for track data, log keystrokes, command and control communication and insert “malicious stub” into explorer.exe files.
The agency recommended that companies contact their IT teams, antivirus vendors, managed service providers and POS system vendors to assess whether their systems have been comprised or are vulnerable. The Secret Service is currently contacting impacted businesses, and local offices are fielding calls from victims of the malware.
The massive data security breach at Target Corp. during the holiday shopping season last year, followed by another publicized breach in early January at Neiman Marcus Group Ltd. LLC has raised alarm in the industry, spurring more scrutiny from federal officials and lawmakers on Capitol Hill and industry collaboration and initiatives to protect consumers’ personal and financial data and combat the security breaches and cyber crimes.
Target initially said 40 million consumers who shopped in its U.S. stores between Black Friday and Dec. 15 may have had information stolen from their credit or debit cards. The retailer subsequently learned and disclosed in January that certain consumer data separate from the credit card information was also stolen, and raised the number of potentially affected customers to 100 million. Neiman Marcus disclosed in January that 1.1 million payment cards may have been compromised in its data security breach.
The unprecedented data breach at Target was considered a factor that contributed to the early exit of Gregg Steinhafel as chairman, president and chief executive officer in May. The data security breach is believed to have reduced the level of holiday gift shopping at the chain during a critical business period.
The breach also prompted Target to step up initiatives on security enhancement. The retailer, which has been working toward adopting chip and PIN technology for the last decade, said it has accelerated its $100 million investment to put the technology in place by 2015. Target is working with MasterCard on a new initiative to enable Target-branded credit and debit cards with MasterCard’s chip and PIN solution. The retailers is moving its Red card portfolio to the new technology and installing supporting software and next-generation payment devices in its stores. The new payment terminals will be in all 1,797 U.S. stores by September, six months ahead of schedule.
"I was driving back on Saturday afternoon from the beach, and I just saw this sign saying 'Skydiving for $95.' And I was like, I can't not sky dive for $95," says Tom Bateman about a moment in Hawaii while shooting "Snatched." #wwdeye (📷: @vsteves; Interview by @ktauer; Styled by @thealexbadia)