Eddie Bauer Reports Intrusion Into Point of Sale Network

Data belonging to customers who used payment cards at all 370 Eddie Bauer locations in the US, Canada compromised.

Clothing store chain Eddie Bauer has become the latest in a growing list of organizations to suffer a breach of its point-of-sale systems.

The company Thursday announced that unknown intruders had broken into its network and planted malware for capturing payment card data from its POS network. It described the intrusion as sophisticated and directed at multiple retailers, hotels, and restaurants.

The breach has exposed data belonging to an unspecified number of customers who used credit and debit cards to pay for purchases at Eddie Bauer stores between January and July this year. Not all transactions during this period were compromised the company said.

The data that was exposed in the breach included cardholder name, card number, expiration date, and card security codes.

From the retailer’s carefully worded description of the scope of the attack, it appears like all 370 Eddie Bauer stores across the United States and Canada were impacted by the intrusion. Eddie Bauer has said it will pay for one year’s worth of identity protection services for all customers impacted by the breach.

In a statement, Eddie Bauer chief executive officer Mike Egeck said the company is working with the FBI, cyberecurity firms and the credit card associations to mitigate fallout from the intrusion.  

Eddie Bauer is one of several organizations that have reported a breach of their POS systems in recent weeks and months. Earlier this month, HEI Hotels & Resorts, the operator of brands such as the Marriott, Hyatt and Sheraton and Westin disclosed a similar attack involving 20 of its properties.

Like Eddie Bauer, the hotel operator too blamed unknown attackers for planting malware on its POS network for intercepting and stealing credit and debit card data. 

The HEI breach announcement was preceded by another one this time from Oracle, which said attackers had placed malware on a website used to deliver support to customers of its MICROS POS subsidiary. Oracle said the malware was used to capture the usernames and passwords of MICROS’ customers logging into the support site. Some have speculated that the attackers behind the MICROS breach used their foothold on the support site to break into POS systems belonging to the vendor’s many retail and restaurant customers.

The string of breaches has heightened concerns about POS systems becoming a weak link in the US payment system chain even as credit card companies have tried to bolster security by migrating everyone to smartcards based on the Europay Mastercard Visa standard. The migration is widely expected to reduce some types of payment card fraud. For instance, EMV smartcards are expected to make it much harder for criminals to clone payment cards.

But POS systems, the electronic cash registers where people complete their transactions, continue to be vulnerable. In the last few years, attackers have increasingly targeted these systems so they can intercept card data between when a card is swiped or inserted at a payment device and before it is encrypted.

“Retail malware is typically designed to steal clear data in memory from POS applications,” said George Rice, senior director, payments, at HPE Security in a statement. This includes data from the magstripes on the back of cards, EMV card data and other sensitive data. “A POS application in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.”

In a statement, Travis Smith, senior security researcher at Tripwire said retailers should consider putting their POS systems on a segregated network and separate from systems with Internet access. “Locking down this communication will reduce the likelihood that malware will be able to successfully exfiltrate private information to the attacker,” he said.

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights