I often emphasize in my security breaches presentations that retailers get a lot of attention yet they represent a small percentage of the overall number of breaches.
A story by Oregon’s KCBY about a Secret Service investigation in Seattle is a good example of this. They call it “cyber attack larger than first thought”:
…the U.S. Secret Service tells KOMO News we’re dealing with a much bigger crime than first expected. Agency spokesman Bob Kierstead says the total number of accounts compromised could be in the high hundreds.
“It could go over a thousand,” said Kierstead. “We are very close to pinpointing the actual person or persons who perpetrated this crime.”
The fraud is real and the harm should not be discounted. This story does a good job emphasizing the importance of a breach of hundreds or thousands out of the community that has eaten at or lives near the Broadway Grill.
However, it does not pull in any industry data, financial services names, or even a national view to put this breach in perspective.
News sources, taken together, suggest that a back-end servers were storing card data after authorization. They also suggest sniffers were used to pull data processed in the clear from other retail locations. I hardly see either of these as a new attack vector for retailers. It has been a known problem, and the subject of breach reports, since the beginning of the PCI DSS compliance standard over six years ago.
Capital Hill news points out that the restaurant used Action Systems’ Restaurant Manager software and and may have been on a version at least four years old.
Restaurants using Restaurant Manager v15.0 or earlier have been notified repeatedly that they must upgrade to a more current version of the software before they will be able to operate as a PCI Compliant business.
It is the restaurant’s responsibility to act on these repeated warnings.
Although this points readers back into the retail operation, the reality of the hack is that the restaurant was an entry-point but not the true target. The attackers moved from the restaurant system into the transaction processing system where they hoped to collect a large stream of card data. Even though they hit a sensitive area their breach achieved far less than the exposures we have seen in the past few years. The numbers indicate the risk and impact of retail breaches have declined. Compare it with what other industries experience now — ones that lack a compliance standard like PCI DSS — and “into the 1,000” could be seen as part of an overall downward trend in risk.