Tuesday, April 16, 2013
The retailer became aware of fraudulent activity when notified by credit card companies on March 15, 2013, that banks had detected fraud on 12 cards used at Schnucks stores, the company stated. At that point Schnucks launched a forensics investigation through Mandiant Corp., which initially ruled out store employee or POS tampering before detecting indications of a cyber attack on March 28.
In a statement released March 30, Schnucks said it had "found and contained the issue behind the reports of unauthorized access to payment card information" and that it had "taken comprehensive measures designed to block any further access."
After disclosing the cyber attack, Schnucks Chairman and Chief Executive Officer Scott Schnuck said, "We are cooperating with law enforcement, the Missouri Attorney General's Office, and the credit card companies to determine the scope and magnitude of this crime and apprehend those individuals making fraudulent purchases." He added that security enhancements were being implemented to block further attack activity.
In an April 7 statement, Schnucks said the company had been validated by a third-party assessor as Payment Card Industry (PCI) Data Security Standard (DSS) compliant in an audit conducted in November 2012.
"It's kind of like a financial audit," said Rick Heroux, President of security consultancy CSR. "The auditor can walk out the door and give you a clean bill of health, and somebody can start stealing the next day."
Heroux said that for whatever reason, it appears Schnucks was unable to adequately monitor outbound traffic on its network. And there is a lifecycle for stolen card data, which in this incident required several months following the attack to produce and begin using counterfeit cards, at which point a common point-of-purchase analysis was able to detect it.
"What's really interesting about this is that it took them two weeks to figure out where it was and contain it," he added. "And they brought in experts. It was evidently a sophisticated attack, because it was so hard to find."
Malware attacks, like the one executed against Schnucks, are becoming a pernicious, yet often preventable problem for merchants. Heroux pointed out that the self assessment questionnaires ask merchants how quickly they install security patches after they are issued. The sooner this is done, the better.
"We're starting to see POS threats," Heroux said. "There is one that I understand is very sophisticated called BlackPOS. It's a malware that is installed through unpatched security remote access software." The best defense against these types of attacks is to maintain security updates, which for merchants that adhere to PCI compliance should be ongoing and consistent, he added. 
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
