Thrift store chain America’s Thrift Stores has fallen victim to a data security breach. Hackers infiltrated the company via the software of a third-party service provider. The breach opened the door for criminals from Eastern Europe to gain access to some payment card numbers.
The good news is the U.S. Secret Service is reporting that only card numbers and expiration dates were stolen. It does not appear that customer names, phone numbers, physical or e-mail addresses were compromised in the breach, which investigators concluded happened between September 1, 2015 and September 27. America’s Thrift Stores is a chain of 18 thrift stores in Mississippi, Alabama, Louisiana, Georgia and Tennessee.
“As soon as we learned of this incident, America’s Thrift Stores began working with a leading independent external forensic expert and the U.S. Secret Service to examine the breach,” said Kenneth Sobaski, CEO of America’s Thrift Stores, in a statement. “We have identified and removed malware that was the source of the breach, and we continue to take steps to improve security against any future attacks. Shoppers can feel confident using credit or debit cards at any of our store locations.”
The Cadence Continues
We caught up with Ken Westin, senior security analyst for advanced threat protection firm Tripwire, to get his take on the breach. He told us the cadence of retail breaches continues and will continue.
“Unfortunately, even though retailers have started the transition to EMV [cards with security chips] and are implementing stricter security standards, we will continue to see credit card breaches for quite some time,” Westin said. “In many cases the vulnerabilities that criminal hackers are targeting are baked into the payment infrastructure and that means it take considerable resources to migrate to more secure solutions.”
Many retailers need to implement completely new hardware to support EMV so it might be a good time for companies to reevaluate security payment systems as a whole, he said. This is especially relevant given the new threats that are targeting weaknesses in payment systems.
“The implementation of point-to-point encryption and stronger security controls on point-of-sale endpoints are just two examples of things retailers can do right now to protect their customers,” said Westin.
Beyond This Threat
Mark Bower, global director of product management for HP Data Security, told us this is yet another hack that underscores the need for companies to protect all of the sensitive information they hold on their customers.
“Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line,” he said. “Particularly with the transition to EMV, a data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.”
Bower said proven methods are available to neutralize this data from breaches. He noted that leading retailers have adopted data-centric security techniques with huge positive benefits, including reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws aimed at making data security a ‘business as usual’ matter for any organization handling card payment data.
“With the available technologies today to protect sensitive data very easily and quickly,” he said. “it’s a simple matter to cover all your bases to protect consumer trust and satisfaction.”