Sophos Cloud Optix
A chain of liquor stores based in Houston, Texas may have leaked as many as 550,000 sets of customer bank and card records after some of its systems were compromised for close to 17 months.
Spec’s, a family-run chain which is apparently the fifth largest wine seller in the US, operates over 165 stores, of which 34 are thought to have been affected by the breach.
These were mostly smaller local stores in the Houston area – the chain, like most things Texan, is known for the jumbo scale of some of its outlets, but the larger superstores do not seem to be affected by the leak.
Data lost includes most things an identity thief might want, ranging from payment card numbers, expiry dates and security codes to dates of birth and driver’s license numbers in some cases.
As in the case of the Neiman Marcus breach, the leak was uncovered from the outside, with banks and credit card companies spotting something was amiss before the store operators themselves were aware.
This led to some customers learning of the problem from their banks some time before the public disclosure of the issue by Spec’s, which was issued on 28 March.
Their statement does not specify when they first learned of the breach, but asserts that it was finally fully cleaned up by 20 March.
With the initial penetration thought to have occurred on 31 October 2012, that’s almost 17 months during which some or all of the 34 stores involved were infected.
Local news reports quote a Spec’s spokesperson as saying that there were suspicions of a problem as long ago as “early last year”, and that they had been asked not to disclose the issue until now by federal investigators.
They also claim that forensic analysis had taken a long time to fully get to grips with what was going on.
This is worrying given how recently the final all-clear was given. When people’s personal data has been leaked, they need to know as quickly as possible, and systems suspected of leaking such data should be locked down immediately rather than kept running until full cleanup can be ensured.
But it seems that in some cases law enforcement prefer to allow crimes to continue beyond their initial detection, to help them track down the perpetrators.
This may feel a little like using innocent future customers as bait, but the crimestoppers will doubtless argue that their misfortune is in the name of the greater good.
The narrow geographical spread of the infections, and being limited to smaller neighbourhood stores, implies the malware may have been planted manually, exploiting some weakness in physical security at the affected locations.
The firm claims to have replaced some cash registers, which may support the theory that they may have been physically compromised.
However they also state that no employees are thought to be involved, and it’s quite possible that the attack was entirely network-based, with the affected stores on a shared network node, or sharing a software or policy weakness which allowed the compromise to take place.
For those worried their data may have been leaked, Spec’s provides a full list of the stores involved, and offers the usual credit monitoring services, in their statement.
Just thinking aloud, could there have been some modified cards being used to pass an infection into the systems from card readers?
Just a thought.
The only way I can see this happening is if the data on the strip triggered a buffer overflow in the LUHN checksum algorithm — which is highly unlikely. The card reader itself will just spit out a series of ascii characters, and the card readers pass them on as a virtual keyboard. So a modified card would have to be sending the characters for something like [windows][up][up][enter]cmd.exe[enter] — which would a) not fit on track 2, and b) not pass the integrity checks.
So the short answer is: no. There are many other ways that the information can be harvested, however — from keyloggers in-line with the readers to RAM scraper software installed on the terminal/till, to remote access to the appropriate database.
Spec’s is a wonderful delicatessen as well as a liquor store, but they only accept either cash or debit cards. I don’t use my debit card except there and at Costco, and I had “irregular debit card activity” almost exactly a year ago, and had to get a new card. It was at Spec’s main Houston location where I had used it. Nobody else had ever had the card physically, and those two places were the only possible sources of the breach, other than two utility companies which present automatic debits. But Bank of America didn’t seem to pay attention when I pointed out that there were very few explanations for the “irregular” activity.