Data Breaches: What Retailers Need to Know About Malware
By Mark McCurley, IDT911 Consulting
And the hits just keep on coming. Retailers across the country are falling prey to cyber attacks, with one of the latest announcements coming from Michaels and its subsidiary Aaron Brothers.
Based on the information filtering out from Michaels, it appears the firm was a victim of an advanced persistent threat (APT) attack. APTs are based on malware that is specially coded by hackers to breach a specific target. The clincher is that APTs are also designed to be largely undetectable by most anti-malware applications. Even if the threat is recognized, it may be difficult to locate or remove.
In the case of the attack on Michaels, the malware is estimated to have been active in the system for about eight months. Consumers that shopped at Michaels between May 8, 2013, and Jan. 27, 2014, or at Aaron Brothers between June 26, 2013, and Feb. 27, 2014, are being advised to cancel their debit or credit cards and have their banks reissue new ones as a precautionary measure. In addition, victims have been encouraged to take steps to monitor their identity and credit accounts for potential fraud.
There are multiple methods hackers can use to transfer this type of malicious code to its target, including spear phishing e-mails that appear legitimate and trick an employee at the retailer into downloading the code into the network. Specifically how the attackers were able to successfully inject their malicious code into Michaels’s systems is unknown at this point.
Flashbacks to other hacks
For many in the retail sector, it’s nearly impossible to learn the details of the Michaels attack without having flashbacks of other recent incidents. Consider the massive Target breach in late 2013. Malware was the culprit in that incident as well, with the retailer’s point-of-sale (POS) data being funneled out through a compromised vendor connection.
The Target attack lasted 19 days — which seems to pale in comparison to the duration of the Michaels breach — but it occurred during the holiday season when registers were ringing up purchases at a frantic pace. The scope was tremendous, with Target estimating up to 70 million individuals may have been affected.
Neiman Marcus also suffered a data breach in 2013. For just over three months hackers siphoned off POS data using malicious code inserted into the retailer’s systems. The sophisticated attack is still being investigated, but so far little has been revealed about how the hackers gained entry to the system and precisely when much of the data was removed.
Why the hack could happen again
The first lesson retailers should take from the growing list of POS-based data breaches is that it could happen again. Whatever the root cause of these hacks, many retailers are scrambling to bolster their network security defenses by implementing additional layers of advanced threat detection systems. These can potentially detect previously unknown malware such as that used to steal data from Michaels and others.
Unfortunately, even when malicious code is detected retailers aren’t always able to eradicate it quickly or completely. Tens of thousands of alerts were triggered during the Neiman Marcus breach, but the level of automation and the sheer volume of administrative alerts processing through the systems made actionable detection difficult.
Cyber thieves are also getting better at crafting sneaky code and finding security weaknesses to exploit. In the case of Neiman Marcus, systems were deleting instances of the malware but the hackers found a way to quickly reload it. A compromised server was their pathway into the network. It provided them with a remote door to the inside of the systems that held valuable data as well as a route around many of the security measures that existed.
What retailers can do to mitigate risks and bolster security
Hackers are working to root out and take advantage of every security gap in retailers’ POS systems and networks. They’re actively targeting weak administrative passwords, vulnerable infrastructure components, unsecured (but trusted) external connections, and old-fashioned social engineering. Increasingly clever methods are being employed to install malware, but in many cases they’re unnecessary. Weak spots in the armor often provide all the invitation hackers need.
There are steps retailers can take right now to improve security around POS systems and associated networks, and most are inexpensive and relatively easy to implement.
• Require strong passwords or multi-factor authentication for POS administrative access and accounts.
• Restrict outside access to POS systems wherever possible.
• Completely disallow remote access unless it’s absolutely necessary.
• Update all POS software application using the latest security patches.
Marc McCurley, senior information security advisor at IDT911 Consulting, has more than 24 years of experience in information technology and security. During the last decade, his career has centered on information security, risk management and compliance for customer information systems that are required to adhere to commercial, federal and DoD regulatory compliance mandates and directives. He has developed security programs and has been directly responsible for ensuring customer information systems successfully passed IT security and compliance audits. Mark most recently worked in a senior role for Sony where he was responsible for their vulnerability management and risk assessments platform. He can be reached at [email protected]
Walmart ‘Open Call’ yields made in USA action
Five hundred suppliers, 200 merchants and 800 meetings equaled made in U.S.A. magic for Walmart as the retailer looked to accelerate domestic sourcing with a first ever event dubbed Open Call.
Walmart held the event at its Bentonville, Ark., headquarters on Tuesday, July 8, to discover domestically sourced products from new and existing suppliers that can help the company meet its goal of buying an additional $250 billion in American-made products in the next 10 years.
The 500 suppliers who crammed into small meeting rooms that line both sides of a long main hallway at Walmart’s home office were evenly split between existing suppliers looking to sell new domestically manufactured goods and suppliers who are new to the company, according to Michelle Gloeckler, Walmart’s EVP of consumables and U.S. Manufacturing.
Gloeckler has led Walmart’s domestic sourcing initiative since it was unveiled 18 months ago by Walmart U.S. president and CEO Bill Simon. She said Open Call was about finding new and existing suppliers who have products that are made in the U.S. that Walmart isn’t buying and connecting those companies with merchants from Walmart, Walmart.com and Sam’s Club. Doing so, combined with buying more of what the company already buys and reshoring the manufacturing of goods, are the three main ways Gloecker said Walmart expects to achieve its goal. Judging from the turnout at the inaugural event and the energy evident in the hallway among suppliers meeting with Walmart merchants for the first time, the retailer expects to uncover plenty more domestically manufactured goods, but did not indicate when it might hold another Open Call event.
“What today has taught us is that there are a lot of great U.S. made products out there and we need to figure out a way to get them to our customer whether that is in our stores or online,” Cindi Marsiglio, Walmart vp of U.S. sourcing and domestic manufacturing told Retailing Today.
She said the event exceeded the company’s expectations and indicated the next major undertaking on the company’s domestic sourcing journey would take place August 14 and 15 in Denver when the company holds its second U.S. Manufacturing Summit. The key difference between this year’s Summit and the inaugural event last year in Orlando is that Walmart is looking to play an even larger role as facilitator and accelerator. According to Gloeckler and Marisglio, one of the challenges suppliers face is connecting with manufacturers who have available capacity in the U.S. To remedy that situation, Walmart will feature a trade show format at the event in Denver to serve as a matchmaker between suppliers who would like to sell domestically sourced goods but need help locating manufacturers with the capacity to do so.
Container Group CEO notes ‘retail funk’ in Q1 results
Coppel, Texas — The Container Store on Tuesday posted a 0.8% decline in same-store sales in the first quarter, its first decline in the metric in 16 quarters.
“We thought our sluggish sales were all because of weather and calendar shifts that began last November and continued into the spring, but now we’ve come to realize it’s more than weather and calendar. Consistent with so many of our fellow retailers, we are experiencing a retail ‘funk,’” said Kip Tindell, chairman and CEO.
Net sales in the company’s retail business were $149.7 million, up 8.9% over the year-ago period, with the increase primarily driven by new store sales. Total net sales were $173.4 million, up 8.6% over last year.
Tindall said while the company is confident customer enthusiasm for the brand and employee morale are at all-time highs, the chain continue to experience slight traffic declines in a “surprisingly tepid” retail environment.
“While consumers are buying homes and automobiles and even high ticket furniture, most segments of retail are, like us, seeing more challenging sales than we had hoped early in 2014 – so we’re not alone in this,” Tindall said.
The Container Store opened three new stores in the first quarter — in King of Prussia, Pennsylvania, , a second store in the Seattle area and its first Rhode Island store located, in the Providence area. The company announced the location for an additional store in the Phoenix market that will contribute to its 12% minimum square footage growth in fiscal 2014.
“Last quarter we announced we’re accelerating our annual square footage growth from 10% to 12% and we’re excited we’re able to add an eighth new store to achieve that 12% minimum square footage growth even in this fiscal year,” Tindall said. “Our average first year, four wall Adjusted EBITDA margin on new stores has averaged 23% and our invested capital has seen a payback of about 2 ½ years.”
The Container Store announced that it will launch a new, higher-end custom solid drawer and shelving closet solution this year. The new product will feature custom-built solutions crafted from the highest quality materials and with a variety of choices in wood grain finishes and extras including lighting and storage options for shoes, jewelry and handbags. It will pilot late this fall in seven stores in the Dallas/Fort Worth metroplex, with planned rollout to chain wide beginning in the spring of 2015.
Additionally, The Container Store has expanded the rollout of its AtHome personalized in-home organization and design service beyond the Texas market, having just launched the service in its Manhattan locations. The company plans to expand the program to additional markets such as Los Angeles, Chicago and the Washington, D.C., market by the end of this calendar year, with rollout to the rest of its stores in 2015.
The retailer also said that, as of July 9, it will have completed the launch of its new customer engagement program POP! (Perfectly Organized Perks) in all of its stores.
Looking ahead, Tindall predicted a slight improvement in the second and third quarters.
“But we are very much looking forward to the fourth quarter as we comp against the worst weather we had in our history last year and believe we will see marked improvement in our sales trends. Looking ahead, historically over 60% of our profitability has been derived in the fourth quarter, so from a profitability perspective fourth quarter is very important for us,” he said.