Page 14 - GS170202
P. 14
News
As Perdue introduced his resolution, Consumers Union The continuing saga of retail data
was delivering letters to members of the Senate urging
them not to use the CRA to overturn pending rules. breaches has become a national nightmare.
"Under the CRA, once a rule is erased, an agency cannot Cybercriminals are on a binge to capture
move forward with any 'substantially similar' rule unless American consumers' valuable personal and
Congress enacts new legislation specifically authorizing financial data at every opportunity.
it," Consumers Union wrote. "Among other impacts, this
means a bare majority of the Senate can erase a rule, but ‒ B. Dan Berger, National Association
then restoration of that rule is subject to the full legislative of Federal Credit Unions
process, including a filibuster."
Arby's under the 2016. He vowed to push for legislation designed to protect
retailers while holding them responsible for breaches.
microscope after Berger said the NAFCU is seeking to pass legislation
to protect credit unions that comply with the Gramm-
breach Leach-Bliley Act. The federal law, passed in 1999, provides
guidance to businesses and financial institutions on
methods for managing and storing personally identifiable
information (PII). The law requires companies to clearly,
tlanta-based Arby's Restaurant Group Inc. dis- conspicuously and accurately disclose information-
closed Feb. 9, 2017, that a data breach may have sharing practices and allow customers to opt out of sharing
affected more than 355,000 of its customers' their information with third parties.
A credit and debit cards. Payment Systems for
Credit Unions, a trade association representing more than Malware's telltale footprint
800 credit unions, notified Arby's in January 2017 when
its card-issuing member banks traced thousands of com- Alex Vaystikh, a cybersecurity veteran with expertise in
promised cards to select corporate stores in the fast food applied research and product development, is a founder
chain. PSCU analysts believe the POS systems became and Chief Technology Officer at SecBI Ltd., an Israeli
infected with malware between Oct. 25, 2016 and Jan. 19, cybersecurity company. Vaystikh sees similarities between
2017. the Arby's breach and the highly publicized Target Corp.
intrusion reported in 2013, because in both cases, malware
Christopher Fuller, Senior Vice President of Brand & operated within the merchant's network, collecting data
Corporate Communications at Arby's, stated that not all and "exfiltrating" it over several months. "The malware
corporate restaurants had been affected and emphasized spread from device to device, controlled remotely by an
the situation has been fully contained. opportunistic hacker," he stated.
Noting in a Feb. 9 statement that consumer credit and debit Vaystikh suggested the long span of the Arby's attack may
cards have become a tempting menu item for fraudsters, B. indicate two distinct possibilities: Arby's may be operating
Dan Berger, President and Chief Executive Officer of the without sensors (for example, network gateways that log
National Association of Federally-Insured Credit Unions, the network behavior of their device populations), or the
called for a national standard of protection. company lacks the analytics tools that can process the
huge amounts of data generated by the gateways. "To date,
"The continuing saga of retail data breaches has become a the leading cause of breaches has been a lack of analytics
national nightmare," Berger stated. "Cybercriminals are on to empower the security analysts," he said.
a binge to capture American consumers' valuable personal
and financial data at every opportunity." Arby's is working closely with the FBI and the cybersecurity
firm Mandiant on the continuing post-mortem
Berger said that data breaches climbed 40 percent in investigation and has taken measures to "eradicate the
2016, compared with the previous year, a record that malware from systems at restaurants that were impacted,"
is being surpassed in 2017. "In 2017, we have already according to company representatives.
hit 110 breaches, a 36 percent hike over the same time last
year," he said. "[The Arby's] breach is another example The company created a new website, http://arbys.com/
of why Congress must act to implement national data security, where it will post updates on remedial activities.
security standards for retailers now." A statement on the website reminds guests to monitor
their payment card accounts for suspicious activity. "If
Protecting PII guests discover any unauthorized charges, they should
report them immediately to the bank that issued their
Berger additionally cited statistics from the Identity Theft card," Arby's stated.
Resource Center that found retailers were targeted in
45.2 percent of the 494 data breach incidents reported in
14
14
