More than 1,000 U.S. retailers could be infected with malicious software lurking in their cash register computers, allowing hackers to steal customer financial data, the Homeland Security Department said Friday.
The government urged businesses of all sizes to scan their point-of-sale systems for software known as "Backoff," discovered last October. It previously explained in detail how the software operates and how retailers could find and remove it.
- NRC writes companies potentially affected by data breach
- Heartbleed bug used in huge security breach
- Potential breach at U.S. grocery chain Supervalu
Earlier this month, United Parcel Service said it found infected computers in 51 stores. UPS said it was not aware of any fraud that resulted from the infection but said hackers may have taken customers' names, addresses, email addresses and payment card information.
The company apologized to customers and offered free identity protection and credit monitoring services to those who had shopped in those 51 stores.
Backoff was discovered in October, but according to the Homeland Security Department the software wasn't flagged by antivirus programs until this month.
The Backoff program itself is not unique. Like other malware designed to steal financial information from retail customers, the software gains access to companies' computers through insufficiently protected remote access points and duping computers users to download malware. But its wide deployment by hackers and its repeated updates over the last six months make it a serious threat for consumers and business.
'Bad guys' gained confidence: analyst
Jerome Segura, a senior security researcher at cybersecurity software firm Malware Bytes, said that the way that Backoff works is not unique. The program gains access to companies' computers by finding insufficiently protected remote access points and duping computer users to download malware, tricks that have long been in use and are often automated.
What has changed, Segura said, is that the hackers deploying it have become increasingly sophisticated about identifying high-value computer systems after they've broken into them.
"Once the bad guys realized they were able to penetrate larger networks, they saw the opportunity to develop malware that's specifically for credit cards and can evade antivirus programs," he said.
By using Backoff selectively, rather than distributing it widely on the Internet, the hackers likely managed to escape detection for longer. Following Homeland Security's warnings in July, however, companies are much better able to probe their own computers for Backoff.
Homeland Security's warning was the latest development in an ongoing battle between retailers and hackers.
Retail giant Target, based in Minneapolis, was targeted by hackers last year and disclosed in December that a data breach compromised 40 million credit and debit card accounts between Nov. 27 and Dec. 15. On Jan. 10, it said hackers stole personal information — including names, phone numbers and email and mailing addresses — from as many as 70 million customers.
Target, the third-largest retailer, has been overhauling its security department and systems in the wake of the pre-Christmas data breach, which hurt profits, sales and its reputation among shoppers worried about the security of their personal data. Target is now accelerating its $100 million US plan to roll out chip-based credit card technology in all of its nearly 1,800 stores.
So-called chip and pin technology would allow for more secure transactions than the magnetic strip cards that most Americans use now. The technology has already been adopted in Europe and elsewhere.
On Wednesday, Target announced that its second-quarter earnings dropped 61.7 per cent as it still reels from the cost of the breach as well as a botched Canadian expansion and sluggish sales.
Homeland Security dealing with own breach
Meanwhile, the internal records of as many as 25,000 Homeland Security Department employees were exposed during a recent computer break-in at a federal contractor that handles security clearances, an agency official said Friday.
The official, who spoke on condition of anonymity to discuss details of an incident that is under active federal criminal investigation, said the number of victims could be greater. The department was informing employees whose files were exposed in the hacking against contractor USIS and warning them to monitor their financial accounts.
Earlier this month, USIS acknowledged the break-in, saying its internal cybersecurity team had detected what appeared to be an intrusion with "all the markings of a state-sponsored attack." Neither USIS nor government officials have speculated on the identity of the foreign government. A USIS spokeswoman reached Friday declined to comment on the DHS notifications.
USIS, once known as U.S. Investigations Services, has been under fire in Congress in recent months for its performance in conducting background checks on National Security Agency systems analyst Edward Snowden and on Aaron Alexis, a military contractor employee who killed 12 people during shootings at the Navy Yard in Washington in September 2013.
Private contractors perform background checks on more than two-thirds of the 4.9 million government workers with security clearances, and USIS handles nearly half of that number. Many of those investigations are performed under contracts with the Office of Personnel Management, and the Homeland Security and Defense departments.
It's not immediately clear when the hacking took place, but DHS notified all its employees internally on Aug. 6.
At that point, DHS issued "stop-work orders" preventing further information flows to USIS until the agency was confident the company could safeguard its records. At the same time, OPM temporarily halted all USIS background check fieldwork "out of an abundance of caution," spokeswoman Jackie Koszczuk said.
Officials would not say whether workers from other government agencies were at risk. DHS will provide workers affected by the intrusion with credit monitoring. The risk to as many as 25,000 DHS workers was first reported Friday by Reuters.
A cybersecurity expert, Rick Dakin, said the possibility that other federal departments could be affected depends on whether the DHS records were "segmented," or walled off, from other federal agencies' files inside USIS.
"The big question is what degree of segmentation was already in place so that other agencies weren't equally compromised," said Dakin, chief executive of Coalfire, a major Maryland-based IT audit and compliance firm.