Staples investigating possible credit card data breach

Several big box retailers have fallen victim to data security issues in recent months, with Target, KMart, and Home Depot among the chains that have wound up in hackers’ crosshairs. Now Framingham-based office supply retailer Staples is looking into a possible credit card breach.

According to the cybersecurity writer Brian Krebs, the issue may be concentrated in the northeast.

According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Staples is working with law enforcement on the issue, according to the AP.

Breach is reported limited to roughly dozen stores in the Northeast, may only affects a couple thousand customers

Staples, Inc. (SPLS), America’s largest office-oriented retail store chain, has confirmed it is investigating “a potential issue” – a possible breach of its credit card system. Brian Krebs, an investigative journalist and former senior security reporter for The Washington Post, first reported the breach.

I. Breached – But This Time It Appears to be a Smaller, Localized Data Loss

The breach comes after recent hacks of Target Corp. (TGT) and the Home Depot, Inc. (HD), which compromised entire store networks losing tens of millions of customers’ credit card numbers. The good news is that this breach appears more localized, suggesting it may be the work of local scam artists.

Brian Krebs reports:

[I]According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Framingham, Mass.-based Staples has more than 1,800 stores nationwide, but so far the banks contacted by this reporter have traced a pattern of fraudulent transactions on a group of cards that had all previously been used at a small number of Staples locations in the Northeast.[/I]

Staples’s Senior Public Relations Manager Mark Cautela remarks:

[Staples is investigating a] potential issue involving credit card data and has contacted law enforcement. We take the protection of customer information very seriously, and are working to resolve the situation, If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on [in] a timely basis.

Reportedly, the fraudulent charges against customers were placed at retailers outside of Staples. This suggests, as Mr. Krebs writes, that the hackers involved in the breach were using standard credit card stealing malware. In that regard, the breach may bear similarities to at least one component of the Target and Home Depot breaches.

Ironically, reports indicate Staples uses International Business Machines Corp. (IBM) IBM i (AS/400) mainframe-based thin client systems for inventory at some locations, at least. Such systems would be immune to this kind of malware. However, Staples reportedly uses Windows XPe, like Home Depot and Target for their point of sale stations.

II. The Windows XPe Factor

While exact specifics of the Staples data loss are unclear at present, digital fraud artists frequently use of malware to target point of sale (PoS) systems running Windows XPe (XP Embedded). Windows XPe has no built in malware or memory access protections. Hence if hackers can gain remote or local access and install malicious software, they can peek at other programs, memory, including credit card numbers passing through sales software.

Microsoft Corp. (MSFT) has been aware of the inherent weaknesses in Windows XPe for at least half a decade now, and has advised enterprise clients to move critical hardware like point of sale systems to newer versions of Windows Embedded based on Windows 7 or Windows 8.

However, many retailers nationwide refuse to upgrade, as they don’t think it’s worth it to protect customers. They’d rather pay the cost of credit monitoring in the case of the occasional data breach rather than pay the cost of upgrading to a modern operating system with memory protections to keep their customers’ credit card data secure.

On the other hand, a small but growing number of retailers have safeguarded customers by ditching Windows XPe and moving to enterprise Linux distributions. Lowe’s Companies, Inc. (LOW), the Home Depot’s chief rival, reportedly uses OpenSUSE for its PoS systems. Papa John’s Int’l, Inc. (PZZA), America’s fourth largest takeout and pizza delivery chain, reportedly runs on Fedora Linux from Red Hat, Inc. (RHT).

[ http://www.dailytech.com/Hackers+Hit+the+Easy+Button+Breach+Staples+Credit+Card+System/article36755.htm ]