On Monday I wrote about two new Point of Sale breaches, one at HEI hotels and the other at Oracle. I said that it was only Monday and we already had two POS breaches.
Well the week is almost over and I am going to bookend the week with another POS breach. Eddie Bauer stores, the clothing chain, announced on Thursday that the POS system in all of its stores had been compromised. That represents 350 or more stores. In their effort to control the spin, Eddie Bauer said that the breach did not affect their web site.
While Eddie Bauer stores, in a press release, said that the security of our customer’s information is a top priority for Eddie Bauer (see press release here), Brian Krebs reported this week that when he contacted the chain on July 5th, the spokesperson told Brian thanks, but they had not heard of any fraud complaints for their banks. Unlike the ortho clinic I wrote about two days ago, Eddie Bauer is offering identity theft protection to their customers who were affected.
In today’s world of competition and lawsuits, companies are loathe to provide any information about what happened if there is any way to avoid it. As a result, other stores and end customers have very little guidance on what happened and what to look for.
Eddie Bauer did say that they thought that the hackers were in their systems from January 2, 2016 to July 17th, 2016.
Curiously – and possibly coincidentally but maybe not – July 2016 is also the date that Eddie Bauer rolled out a chip based point of sale system. While we cannot say with certainty that if they had the chip based system in place last November when the Visa/Mastercard deadline to deploy chip based point of sale systems came and went that the hackers would not have succeeded, but it may well have blunted the effect of the hack. The issue there is that not only are retailers way behind in deploying chip based POS systems, but the banks are way behind in mailing out chip cards, but that is a story for another day.
What we can say is that IF they had chip based solutions in place, at least for those customers who had chip cards, their credit card information would not have been visible to the hackers inside the POS system.
Eddie Bauer has not yet said that they are running the Oracle Micros software that I wrote about on Monday as having 300,000+ locations compromised, but if you look at Jeff Piller’s Linkedin profile, you find some relevant details. Jeff, his profile says, is the Director – Technology & Architecture at Eddie Bauer and has been for the last roughly 4 years.
in his accomplishments, he says that he “implemented Oracle Point of Sale to U.S. and Canadian Stores to replace legacy IBM solution” and that he is “currently implementing EMV [that means chip credit cards – mitch] for ORPOS [or Oracle POS – mitch] and Mobile Point of Sale”.
To me, that is certainly a strong indication that Eddie Bauer is using the Oracle software and got swept up in the Oracle Micros mess.
ANYONE who is running a POS system needs to be reviewing the security of that system with some significant urgency.