Outdoor clothing company Eddie Bauer has become the latest victim of a large scale Point of Sale malware attack, leading to the compromise of customer card data over the first six months of this year.
The firm claimed in a press release late yesterday that it is currently notifying an unspecified number of customers about the attack, which took place between 2 January and 17 July this year.
Interestingly, the company said that this POS malware campaign was part of a “sophisticated attack” encompassing a range of hotels, restaurants and retailers.
It emerged this week that a major breach had occurred at Hyatt, Marriott, Starwood and Intercontinental hotels between March and June 2016.
“We have been working closely with the FBI, cybersecurity experts, and payment card organizations, and want to assure our customers that we have fully identified and contained the incident and that no customers will be responsible for any fraudulent charges to their accounts,” said Eddie Bauer CEO, Mike Egeck.
“In addition, we’ve taken steps to strengthen the security of our point of sale systems to prevent this from happening in the future.”
The firm didn’t specify the scale of the attack, but Brian Krebs claimed the malware had affected its 350+ stores in North America.
Krebs said he reached out to Eddie Bauer six weeks ago, after being informed of the suspected attack by banking contacts who spotted patterns in card fraud at their end.
The security researcher railed against the lack of information given out by the victim organizations in these POS attacks, claiming that more details on the “attack tools and online staging grounds” used could help infosecurity professionals better fortify their own systems.
Travis Smith, senior security research engineer at Tripwire, argued that POS malware continues to be an attractive target for cybercriminals and until more businesses start switching to Chip and PIN, it will likely remain so.
“The best advice for retailers is to place any point of sale machine on a segregated network from any other machines with locked down internet access. These machines typically have a handful of internet locations required to process credit card data, if they require any at all,” he added.
“Locking down this communication will reduce the likelihood that malware will be able to successfully ex-filtrate private information to the attacker.”
However, migrating to a segregated network could cost hundreds of thousands in equipment and network redesigns, which many retailers might shy away from, Smith concluded.