Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Businesses Crime Security IT

Staples: Breach May Have Affected 1.16 Million Customers' Cards 97

mpicpp writes with this excerpt from Fortune: Staples said Friday afternoon that nearly 1.16 million customer payment cards may have been affected in a data breach under investigation since October. The office-supply retailer said two months ago that it was working with law enforcement officials to look into a possible hacking of its customers' credit card data. Staples said in October that it had learned of a potential data theft at several of its U.S. stores after multiple banks noticed a pattern of payment card fraud suggesting the company computer systems had been breached. Now, Staples believes that point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers' names, payment card numbers, expiration dates and card verification codes, Staples said on Friday. At all but two of those stores, the malware would have had access to customer data for purchases made between August 10 and September 16 of this year. At the remaining two stores, the malware was active from July 20 through September 16, the company said.
This discussion has been archived. No new comments can be posted.

Staples: Breach May Have Affected 1.16 Million Customers' Cards

Comments Filter:
  • Honestly (Score:5, Insightful)

    by Anonymous Coward on Friday December 19, 2014 @09:26PM (#48639503)

    I'm beginning to believe no one has a fracking clue about IT security, that no one understands that security is a process, not a product, that audits are conducted weekly, monthly, yearly with documentation to show findings, changes, what works, what doesn't.

    I'm honestly thinking about taking cash from the bank and using that for all my purchases -- using the Dave Ramsey envelope technique I used to get out of debt a decade ago -- until the people that run these companies get a clue about how to run a business with a modicum of common sense. If Walmart can keep safe, anyone can. Really.

    • by Anonymous Coward

      I use cash for the most part. It has lots of pleasant side-effects, like giving you a solid object that lets you feel how much you're spending, and impressing women (either the under 25 crowd, who like the look of the green stuff, or the 25-30 (now that I'm getting older) ones who look at you like you're obviously responsible husband-material because you use cash over plastic).

      • I use cash for the most part. It has lots of pleasant side-effects, like giving you a solid object that lets you feel how much you're spending, and impressing women (either the under 25 crowd, who like the look of the green stuff, or the 25-30 (now that I'm getting older) ones who look at you like you're obviously responsible husband-material because you use cash over plastic).

        You are missing out on free cash using plastic. You need to eat, you need to pay bills, you need gas(assuming you own a vehicle). You are going to pay for those things anyway. There is no reason to not pay for it on the card , reap the cash back benefits and cash in when you need to. (i usually end up with about $400 or so for the year.)

    • by Richy_T ( 111409 )

      Satoshi Nakamoto does.

    • by ruir ( 2709173 )
      People are cutting corners, not willing to pay seasoned professionals and outsourcing service to clueless IT "professionals" in the 3rd world... so none of this is exactly unexpected.
  • Neener (Score:2, Funny)

    When I shop at Staples, I use Apple Pay.

    • Or Google Wallet.

      Let's not credit Apple alone with a solution when there are at least two major players in that market both encompassing a large install base and indeed Apple bringing their solution to the table much later.

      • Both schemes are just part of the NFC standard, which has worldwide support. The problem with Google Wallet in favor of Apple Pay is that GW requires sharing customer data with Google. Better hope there isn't a breach. GW also requires the user open an app on his device and enter a PIN. AP just comes up when you touch an iPhone to the point-of-sale terminal, and authenticates with your thumbprint.

      • by Shados ( 741919 )

        Personally at this point my favorite is LevelUp, though its a lot more localized. Its just a barcode picture, you point whatever version you have to the machine, it turns green, you're done, save a ton of money, and can use whatever device you want (android wear watches work nicely with it).

        Its not as fancy shmancy as NFC, but it the deal is better for both the customer (get pretty decent discounts) and the merchant (pretty much no transaction fee whatever and free hardware in many cases)

  • by ArcadeMan ( 2766669 ) on Friday December 19, 2014 @09:31PM (#48639523)

    That was easy [staples.com].

  • I think it's about time we implemented some sort of single use credit card system.
    • by plover ( 150551 ) on Friday December 19, 2014 @11:02PM (#48639775) Homepage Journal

      I think it's about time we implemented some sort of single use credit card system.

      That's how Chip and PIN works. Your account number is still fixed, but your authorization to spend from it (your PIN) is encrypted by the chip, and is valid only for a single transaction. There are still kinks with non-electronic transactions, but those can be solved.

      Look for it to be all over the US by October of next year.

      • October of next year??? It's been all over Canada for, like, five years or more already.
        • As someone who's worked in the industry, they've been trying to get it to work for at least a year. For some reason Not Invented Here reigns supreme, and we have to figure out how to get it to work without any help from the UK.

      • The only problem is most card issuers aren't going to chip and pin in the US. They are going to chip and signature, which isn't a huge improvement over pain magstripe and signature that we have now.
      • I think it's about time we implemented some sort of single use credit card system.

        That's how Chip and PIN works. Your account number is still fixed, but your authorization to spend from it (your PIN) is encrypted by the chip, and is valid only for a single transaction. There are still kinks with non-electronic transactions, but those can be solved.

        Look for it to be all over the US by October of next year.

        For the past two years, my Visa provider intercepts the authorizations that are made via the internet, and electronically asks me to respond to questions that only I know the answer (mothers name, graduation year, etc). If I fail, the transaction authorization fails. So, just because someone knows the 3 digit code on the back of the card means zero.
        And our credit cards have had the chip version since 2011. That technology is just coming into force in the USA, after 4 years of fraud.

        • Hate to break it to you, Stan, but your Mother's maiden name and your year of graduation are public record.
  • by Anonymous Coward

    Now that we're through talking about Innocence of Muslims and the arrest of its producer, can we talk about what happened to Sony?

  • "point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers' names, payment card numbers, expiration dates and card verification codes"
  • Enlighten me Slashdotters...

    Are these companies storing Credit Card data in plain readable text? I ask because there seems to be no end to these breaches.

    Why not try this as a solution?

    Store these numbers and all pertinent information like Unix/Linux stores passwords. I am meant to understand that even if one stole the "hashed" details they would be of no use. What am I missing?

    • by lucm ( 889690 ) on Friday December 19, 2014 @11:07PM (#48639785)

      It's not a case of a data center being hacked and data at rest being stolen. When the POS is compromised (which is how most of these incidents happen, it was the same with Target) it's more insidious. It's like having someone install a keylogger on your computer - it does not matter how your password is stored on the backend if the password can be obtained while you type it.

      The issue is how casual some organizations are about their POS security. If they were to adopt a "need to know" approach as opposed to a "whatever is convenient" approach these incidents would not have the same impact.

    • by Shados ( 741919 )

      this isn't a password you can hash and compare hashes. You have to use the number, so it kind of has to be in number form somewhere... Even if it was encrypted and the key was on a different machine... it will get read and decrypted next time its needed. Then you can steal it there.

      Now for a lot of cases you don't need to store credit card numbers at all, you can just replay a transaction, but thats not always possible.

  • I would love to know exactly how it happened so I may learn from their mistakes. I can only assume they had incredibly poor security measures in place or they were breached by some ninja who's skills were beyond comprehension. Some of the TJMaxx details were released which revealed they had poor wifi security at the store, holding onto data they shouldn't have, and no proper encryption of data, so the criminals basically cracked them from a laptop in the parking lot. If all the latest hacks are similar t
    • I've worked in the field of IT security, so I too will be looking forward to learning details. The story of the TJX incident was quite interesting- not just the technical details, but also the conversations between the perpetrators, the fact they knew they were getting greedy and should have gotten out of Dodge, etc.

      I'm not so sure it needs to be either really crappy security or a great cracker. Generally, breaking things is easier than making things, so an average bad guy can defeat average securit

  • Network Level (Score:5, Insightful)

    by Cytotoxic ( 245301 ) on Friday December 19, 2014 @10:51PM (#48639753)

    It seems that these POS systems should be more restricted at the network level. In our communications with our banking partners we have single IP address access to the communication server - among other measures (well, dual actually in some cases.... in case of system outages). Only specific IP addresses using specific ports are allowed to traverse the network to even reach the machine. That's before you even start talking about any real security measures.

    If that were in effect for the POS systems, the malware would dump its payload down a black hole unless it also compromised the routers along the way. Maybe that's asking a little much for a bunch of retailers, but it is pretty simple to implement.

    • There should be more isolation, yep. When I handled POS the terminals had no local storage at all, they were network booted from images on the site server and the LAN they were on had no outside access at all. The site servers were on our own wide-area network that connected them to corporate, and there were only two network segments (Development and Support) that could connect to the site servers (sites couldn't even connect to each other). Access to the Dev and Support networks from the rest of the compan

    • by leonbev ( 111395 )

      It doesn't help that most POS systems that I've recently used at fast food restaurants still run unpatched copies of Windows XP and often have other unpatched systems sitting on the same network switch with them.

      That's a PCI compliance violation, by the way, but they never bother to fix it until they fail an audit. The store owners are just too busy slinging fries to learn about IT security or even give a damn about their systems unless they are completely down.

      So, yeah, pay cash for your fast food unless y

  • Then no one can claim that hacked anything. We can all say, "Bullcrap! You downloaded that off PostYourCC.com!"
    Besides, they can't use all of them.
  • Someone hacks a pharmacy chain. Credit card and medical info? Jackpot.

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Friday December 19, 2014 @11:26PM (#48639859)
    Comment removed based on user account deletion
  • Hey, is anybody noticing a trend that Windows combined with outsourcing == cracked systems.
    When will managers learn to think?
  • by Anonymous Coward

    I don't live in the US but I visited last year. I made a purchase at Target (not Staples, I know) and was shocked when the clerk did two things with my CC: they first ran the card through the in-house POS computer. And then put the card in the hand-held bank issued (I assume) POS device to conduct the sale. I asked her why she ran it through the in-house computer and of course was told that it was "policy" and that's how it works. Don't worry, I didn't have a pointless argument with the sales clerk.

    But this

  • Windows at a POS gives the employees of an empty store a lot of entertainment options, but it also causes problems when malware gets bundled with the hot new app of the moment. So, it looks like Staples should invest in a new POS system that is better locked-down. If malware is showing up on your task lists, you at least need a format and reinstall to be sure you're safe.

You are always doing something marginal when the boss drops by your desk.

Working...