There's new evidence to suggest the Staples (NYSE:SPLS) and Michaels data breaches are connected and could be the work of the same cyber criminals.
The breaches at both retailers were attributed to malware installed on the POS systems, software that was apparently communicating with the same command and control networks, according to security blogger Brian Krebs.
Staples discovered malware at roughly 100 locations and Michaels suffered two separate attacks eight months in duration that resulted in the theft of more than 3 million payment cards.
Sources close to the investigations told Krebs that not only was the card-stealing software from the two retailers communicating with a shared source, but it may also be connected to a more recent breach at grocery chain Albertsons.
And while these incidents are believed to be safely in the past, most security experts, Krebs included, believe cyber criminals are ready to strike as the holidays draw near. And in spite of a steady stream of security breaches, retailers continue to be largely unprepared.
As we head into the peak holiday season, retailers will be, or should be, vigilant by monitoring networks and prioritizing compliance.
"Malware and other agents make their way into systems because basic controls fall down, such as changing passwords, patching systems, and managing access," advises Stephen Orfei, manager of the PCI Security Council.
Vigilance in everything is the rule of the season.
-See this Krebs on Security blog post
Supervalu becomes latest data breach victim
Supervalu's future lies in wholesale
Home Depot breach affects 56M debit, credit cards
Target breach cost $148 million; tech hub opens in Silicon Valley
Retailers still unprepared for security breaches