Kmart and Dairy Queen both said the security of their computer systems was compromised last week. This attack was the latest in a rash of hacking in-store payment systems among the likes of Target, Sally Beauty, Neiman Marcus, UPS, Michaels, Albertsons, SuperValu, P.F. Chang’s and Home Depot in the last year.
A statement from Kmart’s president Alasdair James asserts that while the malware installation occurred in early September and compromised debit and credit card numbers, the forensic investigation revealed that no personal information, no debit card PIN numbers, no email addresses, and no social security numbers were obtained by those criminally responsible. “There is also no evidence that kmart.com customers were impacted. This data breach has been contained and the malware has been removed,” James said. Kmart is offering free credit monitoring to affected customers.
Dairy Queen suffered a similar attack of malware and posted a full list of locations where security was breached. Dairy Queen also reported that customers’ personal information wasn’t stolen, the malware only picked up account numbers and expiration dates.
If it sounds like cyber theft is becoming a common occurrence among businesses of all sizes, it is. The Secret Service estimates that more than 1,000 U.S. businesses have been affected even though Homeland Security, along with the Secret Service, the National Cybersecurity and Communications Integration Center and their partners in the security industry have warned businesses about the way hackers can gain entrance to in-store cash register systems.
The malware, which is known as Backoff after a word that appeared in its code, had previously been undetectable by antivirus products. Criminals gain access by scanning corporate systems for employees or vendors who can log in remotely. Then their computers are set in motion to try a host of user names and passwords until they crack a working combination.
This has become standard practice because many companies aren’t prepared to detect or protect themselves from attacks. A study by the Ponemon Institute, an independent security research firm, estimates that it could take 234 days before a company is privy to the malicious code in their IT systems. In another study, about a third of security experts within organizations said they continuously monitored their databases to detect unusual activity.
Concerned yet? Then hop on over to our latest coverage of strategies to reduce the threat of security breaches.