Apparel retailer The Buckle is the latest retailer to have been victimized by a months-long malware attack on its point-of-sale systems, allowing some customer credit card data to be accessed without authorization, the company admitted in a press release Friday.
The attack was first reported by KrebsonSecurity, which was tipped off by its sources in the financial sector, but Buckle confirmed that it had been hit by malware in an attack lasting from Oct. 2, 2016 until April 14, 2017. The retailer said it “quickly removed” the malicious code, and that based on an investigation, it appears “no social security numbers, e-mail addresses or physical addresses were obtained by those criminally responsible. There is also no evidence that the buckle.com website or buckle.com guests were impacted.”
All Buckle store have EMV chip-based payment terminal, meaning the ability of criminals to reproduce counterfeit cards is limited, though the retailer said it believes cardholder names, card numbers and expiration dates may have been compromised.
The hits just keep on coming. This latest malware attack comes just a few weeks after Kmart was reported to have suffered a similar malware incident. Both the Kmart attack and a malware infection on Eddie Bauer point-of-sale systems in early 2016 sound very similar to this attack on Buckle. Though it has been about a full year since that Eddie Bauer attack ended, the more recent incidents with Kmart and Buckle make it seem as though retailers have not learned much in the year since about how to stops these attacks — or even how to detect them earlier.
Figuring out how to accomplish the latter would be a significant improvement in the retail sector's security track record. Perhaps the initial incident can't always be stopped, but many of these attacks have gone on for six months or more without detection. The forensic investigations that retailers pursue after the attacks should become more routine proactive exercises.
This is yet another case when a retailer made a public statement confirming an attack only after reports surfaced elsewhere that it had been attacked. That said, Buckle does get points for at least releasing a lengthy statement discussing its response to the attack and outlining resources for customers potentially affected. Some retailers in the past haven't done as much.
Meanwhile, this latest incident is also a reminder that even as EMV adoption progresses, technology alone doesn't solve all of the industry's security problems. Although, it can certainly help, as retailers often have seen fewer or more limited attacks after EMV implementation. Another problem is that EMV chip cards still aren't ubiquitous, and not all stores that have EMV terminals have activated chip card slots in them. Buckle does have active EMV terminals, which probably limited the impact that the compromised cards can have, but there are plenty of other merchants that still don't have them, and plenty of customers who still swipe their cards to pay.
The bottom line, however, is that retailers simply need to get better at spotting these incidents much sooner than they have been.