bebe Suffers First PoS Hack of the Holiday Season

It’s almost a year since the data breach groundswell began with the Target card data compromise that affected millions of in-store shoppers. Security experts have been nervously eyeing the approaching 2014 holiday shopping season, which has now claimed its first casualty with a security breach at upscale women’s fashion outlet, bebe.

The retailer has confirmed that for 18 days in late November (Nov. 8-26), hackers were able to gather point-of-sale (PoS) card payment information from various stores across the US, Puerto Rico and the US Virgin Islands. The data may have included cardholder name, account number, expiration date, and verification code. Purchases made through the website, mobile site/application, or in Canada and other international stores, were not affected.

“[The bebe breach] is an interesting one because cyber-criminals typically go for larger retailers—Target, TJX—to score larger caches of data,” said Bob West, chief trust officer at CipherCloud, in an emailed comment. “With dresses priced from $79 to $300+, the attackers might be targeting a specific customer profile with higher spending limits and larger spends than the typical retailer customer.”

And higher spending limits make stolen cards more valuable on the black market; plus, the busier an account, the less likely a fraudulent charge would be noticed.

While details of the breach remain sparse for now, the outline of it—PoS malware capturing scanned card information and sending it to data collection receptacles—follows a well-worn groove at this point.  

“This approach underscores the requirements of a successful breach: initial access into a network to place the malware, vulnerable systems on which to place it, vulnerable systems to use as data collection points, and outbound access from the network to external data repositories,” said Steve Hultquist, chief evangelist at RedSeal, in a comment to media.  “There are enough steps in the attack that automated analysis of the entire network is a critical and necessary defense. Leaving to reactive technologies the task of defending the organization without even knowing that they are properly placed within the network leaves the organization open to persistent attack. It is time for organizations to move beyond passive reactive defenses to active preventative technology.”

As far as consumers are concerned, the good news is that banks are protecting them on several fronts—from refunding any fraudulent charges to proactively blocking and changing their card numbers.

“During the holiday season, and other times of high e-commerce activity, it has gotten to the point where financial institutions are proactively looking for stolen cards on the underground markets,” said Ian Amit, vice president at ZeroFOX. “The financial institutions then work to identify and recover the cards associated with their clients in order to minimize additional fraudulent charges.”

And indeed, CipherCloud’s West pointed out that it’s worth noting a couple of small wins for the banks with respect to this breach. Even before bebe has confirmed the breach, banks already started sharing information, which is what tipped the cyber-community off.

“Based on that information, the theft occurred for payments made from 11/18 to 11/28, which is a relatively quick detection by banks,” he said.

What’s Hot on Infosecurity Magazine?