‘Big K’ raided by hackers: Kmart warns customers after malware discovered

I want our customers to be aware of the situation and I suggest that customers carefully review and monitor their credit and debit card account statements. If customers see any sign of suspicious activity, they should immediately contact their card issuer.”

Alasdair James

President and Chief Member Officer


Here we go again! Another major US retailer breached – more worried citizens checking their bank statements.

Michael Shuff asks:

Is the answer chip-&-PIN – or just better information security governance?  

Retail Industry analysts are on alert after Sears Holding Co. reported late on Friday that point-of-sale registers at its Kmart stores were compromised by malicious software used to steal customer credit and debit card information.

It looks like hackers have been enjoying ‘more thrills’ – to borrow a Kmart slogan – by planting malware inside Kmart’s store payment data system in order to steal payment card data. Kmart’s President and CMO, Alasdair James, stated in an open letter on the Kmart site (October 10, 2014) that the hacking  attack started in September, although the retailer has not yet revealed the full extent of the problem either in terms of the number of Kmart’s stores that have been affected or the volume of card data stolen. However, the form of the communication bears a remarkable resemblance to statements issued by Target and The Home Depot, and it is likely that the data stolen could be used to create cloned (i.e. counterfeited) versions of their shoppers’ payment cards.

The now ominous warning to check your bank and credit card statements will send millions of Americans online to pick through recent card transactions. One can only hope that the breach does not turn out to date from before September when the full facts are known following the investigations currently underway.

Mr. James’ statement says that there is no evidence so far that kmart.com customers have been impacted, and that the data breach has been contained and the malware removed. As I have reported recently in stories about card breaches, however, the market for stolen payment card information is currently awash with card details and it may be some time before the true cost of the breach is known – see ‘Home Depot: Has ‘carder culture’ beaten US Law?’ (October 6, 2014). Even if none of the stolen card information is ever used to commit fraud, the likely cost of reissuing cards as a security precaution could involve millions of dollars, which, most likely, will be translated into higher charges paid by users; therefore, in a sense, data breaches like this one impact honest shoppers. For how long, though, can retailers go on taking hits like this?

‘Point-of-sale’ is fast becoming ‘point-of-scam’ – what is causing this trend?

Data breaches affecting retailers are in the news on a regular basis. Those who hack to steal look for the easy money – and in the U.S. market at this moment in time, in-store payment card systems are vulnerable and attractive as targets.

Criminals only need to compromise a few POS terminals to collect hundreds, if not thousands, of credit card numbers, which can be sold on the black market. If they manage to exfiltrate data from POS terminals in different locations, the numbers will run to millions over several months if the malware installed remains undetected, as was the case with Target and Home Depot.

IT Governance recommends regular penetration tests and vulnerability scans in order to secure POS terminals. These are designed to identify potential vulnerabilities in infrastructure and web applications and will provide recommendations of how to improve network security. This will enable you to comply with client requests and facilitate compliance with information security standards, such as ISO27001. For more information on penetration tests and for pricing, please call 1 877 317 3454 or email us at servicecentre@itgovernanceusa.com.

Gavin Millard, Technical Director (EMEA) at Tenable Network Security, a developer of vulnerability management solutions, said, “If retail organizations fail to take the threats posed by malware targeting point of sale devices seriously, we’ll see more breaches of this nature surface over the coming months.  The need to ensure point of sale devices are securely configured, up to date on all patches, and segregated appropriately from the rest of the infrastructure is critical in reducing the risk of exposing credit card and other personally identifiable information. The attack vectors and indicators of compromise for Backoff and BlackPOS are well known and should be continuously monitored for by any retailer as a priority.”

Backoff is one POS-targeting malware discovered in August, but was found to be active as far back as October 2013.  Backoff looks to exploit remote desktop applications (RDA).  If one of the targeted RDAs is installed on a targeted host, Backoff performs a brute-force attack against the administrator account password.  If the attack is successful, Backoff can then install the POS malware with an administrator privileged account.  User payment details are then exfiltrated via an encrypted POST command. Backoff  has been identified as having four variants in the family; all four have at least three (if not all four) of the following functions: scraping memory for track data, keystroke logging, command and control communications, and injecting a malicious stub into explorer.exe (this last function is not seen in version 1.4 of Backoff).  While not as sophisticated as some POS-targeting malware, Backoff is effective and shows the continued and increased targeting of POS systems.

What steps should retailers take to ensure that these risks are assessed?

IT Governance brings a wealth of experience in the cyber security and risk management domain. The company’s consultants have been delivering comprehensive risk assessments for more than ten years and are now providing this service in a cost-effective way online to organizations in the U.S.

A cyber security risk assessment is necessary to identify the gaps in your organization’s critical risk areas and to determine actions to close those gaps. It will also ensure that you invest time and money in the right areas and do not waste resources. See the link for details of the service that could save you millions of dollars by helping to prevent hacking attacks and data breaches.

Why are risks assessments necessary when addressing technology threats?

Gavin Millard again: “Many organizations spend a significant amount of time trying to codify risk and document procedures but often the issues arise when the technology purchased to address the risks are not deployed effectively, operationalized, integrated into an end to end business process and measured appropriately to understand the effectiveness.” In other words, effective information security is based on good governance.

Gavin’s point is echoed by Tenable’s Advisory Board Member, Craig Shumard, who sums up the requirement for IT Governance based on management systems frameworks in his latest blog post, Strategies for Security Governance: “Effective security governance fails if it is not integrated into an overarching information security strategy, supported by senior management and the board, and linked with business and IT objectives”.

I asked Gavin by telephone this afternoon to propose a strategy that Kmart, Target, The Home Depot, and other large-scale American retailers being hit by ‘carder crime’ should consider in response to the hacking of payment systems.

There will inevitably be talk in the Media about chip & PIN technology, which I fully support as an effective method of reducing fraud, but at the heart of the story is the same problem that all major retailers and other organizations catching up with the growing cyber threat face today; namely a lack of control and visibility within the infrastructure. Kmart would appear to be the victim of a very well-known piece of malware. We’ve seen basically the same problem at Target, Home Depot and other retailers in recent months. The vectors of these attacks haven’t changed much in a decade but we still fall foul of them. Recent reports have stated that 70% of all malware that results in a major breach is custom-written to attack lucrative targets, circumventing antivirus and malware detection, so it’s important that other controls are used to detect indicators of compromise.”

Technology solutions only take you part way to solving this problem. This means operationalizing the technology within your organization using layered controls, continuous process monitoring and improvement, and – yes, a standards-based approach so you don’t have to reinvent the wheel.”

With regards to Standards, NIST Cyber Security, ISO27001, and PCI DSS, all have much to offer in terms of helping you to implement and measure the effectiveness of your information/cyber security program. Often the real enemy of the American retail industry and business generally is apathy. We shouldn’t be protecting millions of data records with single factor authentication, and there’s little point in investing millions of dollars in security technology if there’s nobody minding the store when the alarm sounds. Investing in the right preventative and detective controls, operationalizing and measuring the effectiveness of security and educating all members of staff to the issues will help reduce the risk of exposure.”

One suspects that we will be hearing a lot more about the Kmart breach in the weeks ahead, and that calls for action will continue to mount within the USA.

Managing your information security risks

ISO27001 packaged solutionsTo protect your business from information security risks, we recommend implementing an information security management system that complies with ISO27001, the international information security standard.

Our ISO27001 packaged solutions enable any organization to implement ISO27001 at a speed and budget that is appropriate for their individual needs and preferred project approach.

The ‘Get a Little Help’ package from IT Governance is for organizations that already have some management system expertise (with ISO9001, or ISO20000, for instance) and an initial understanding of information security management, as well as the necessary available internal resources and a corporate culture of using best-in-class tools and skills to accelerate learning and implementation while still essentially following a do-it-yourself approach to project management.!

Find out more: http://www.itgovernance.co.uk/shop/p-1651-iso-27001-get-a-little-help-package.aspx

We can help you to implement effective cyber security procedures and controls using ISO27001. Spend a minute on our ISO27001 solutions page >>

Put your detailed questions to our consultants and learn from the experts:

Call us on 1-877-317-3454 today.