While investigators wouldn't finger the victims other than Schnuck's, it's easy to make a short list of likely suspects who reported apparent remote-access breaches over the past six months. They include regional grocery chains Bashas and Raley's, restaurant chain Zaxby's, convenience store chain Mapco Express (NYSE:DK) and discount hardware chain Harbor Freight Tools.
Craig Hutzell, a spokesman for the Secret Service's Kentucky Electronic Crimes Task Force, told Bank Info Security that the malware used in the attacks and the methods of entry all trace back to a single hacker using an overseas IP address. "It's the same [modus operandi], and the malware matches what we had here in our breach," Hutzell said.
Hutzell confirmed the connection between the Schnuck's breach and attacks on a group of retailers in Kentucky and southern Indiana, but would not name the other four retailers, saying it was not clear if all of those incidents had been made public.
But the attacks on the Kentucky and Indiana retailers all exploited an unpatched vulnerability in the same POS software. That strongly suggests that all the other attacks used what's essentially the same vulnerability, exploited by the same malware, whether it's actually the same POS software or not. Investigators haven't named either the software or the local reseller who provided it.
And that, of course, leaves every other chain, large or small, twisting in the wind. The thieves know about the vulnerability, and they can keep testing remote access to more chains' POS systems to see if they have the same security hole. But without knowing what the vulnerability is, how it's exploited or even the POS software involved, chains (and, in the case of small chains, resellers) can't check to confirm that everything is properly patched, and test to make sure the POS systems are secure.
That can't continue. Knowing as much as possible about current common attacks is critical for any retailer trying to defend against them. (Again, for smaller retailers who don't have in-house security expertise, we're talking about resellers and consultants. They're the ones who are doing the actual defending.)
And knowing current attacks is going to be even more crucial when PCI 3.0 kicks in, four months from now. That's when penetration testing joins more traditional PCI security verification. It's essential for pen testers to have as many of the bad guys' weapons as possible in their testing arsenals. After all, that's what pen testing is for: to mimic what real attackers will do if they get the chance.
Right now, cyberthieves are getting too many chances. If a single eastern-European attacker really is responsible for a five-chain, six-month card-siphoning spree, that PCI pen-testing requirement comes none too soon. Even better will be the point when smaller chains doing self-assessments also start hiring pen testers for low-end services. There's a lot of potential revenue for little work by pen testers with a comprehensive automated script that probes for vulnerabilities—and that's what cyberthieves are going to be using anyway.
But that still depends on investigators being a little less stingy with information on how breaches happen. The active thieves already know, and they've probably already shared vulnerability details with other potential thieves. By keeping security people and retailers in the dark, who are investigators protecting—well, besides the resellers who failed to patch their customers' software and the software vendors who sold buggy POS systems in the first place?