The Fraud Blog with Tracy Kitten

Bashas' Breach Exposes Security Flaws

Retail Breach Highlights Risk Mitigation Needs
Bashas' Breach Exposes Security Flaws

The recent breach at Arizona-based supermarket chain Bashas' Family of Stores - which has been tied to the compromise of hundreds of payments cards - has served as an all-too-vivid reminder that compliance does not equal security.

See Also: Augmenting Your Microsoft Email Security Infrastructure

On Feb. 5, Bashas' confirmed a breach of its corporate network, which connects 130 locations operating under the Bashas' supermarkets, AJ's and Food City brands. The retailer said it had discovered a never-seen-before malware on its network, which allowed attackers to gain access to internal systems and capture sensitive payment information.

Bashas' isn't the first company to be breached after getting a clean bill of health for PCI compliance, and it won't be the last. 

Bashas' began investigating its network only after customers and card issuers notified the retailer of fraudulent transactions hitting debit and credit accounts shortly after affected cards had been used at Bashas'.

Bashas' has repeatedly stressed that at the time of the breach, it was in compliance with the Payment Card Industry Data Security Standard. But as this breach proves once again, PCI compliance - or compliance with any guidance or regulation, for that matter - does not guarantee bullet-proof security.

Meaning of Compliance?

Bashas' isn't the first company to be breached after getting a clean bill of health for PCI compliance, and it won't be the last.

Too many organizations continue to misjudge what compliance really means.

Compliance with the PCI-DSS, or any other standard or guideline, simply means your organization is meeting the minimal requirements for security. Banking regulators and the PCI Council stress the need for ongoing risk assessments because every organization has unique security needs.

Standards and guidelines have to be broad to ensure they encompass the needs of a wide range of organizations. Retailers, banks and others must tailor their security investments to their specific risks.

In the retail space, remote access to point-of-sale systems and networks continues to put cardholder data at risk.

Many organizations are so narrowly focused on compliance with regulations, standards and guidance that they overlook some important steps, including the need for multifactor user authentication, stronger access controls for critical systems and migration away from shared and default passwords.

When attackers break into a network or system, they often exploit those gaps. We've seen it time and time again. And even though details surrounding the Bashas' breach have been scarce, experts speculate some fundamental weakness is likely to blame for the successful hack.

"Remote access tends to be a very prevalent model for a hacker, and yet it's one that is pretty simple to address," says Nathan McNeill, co-founder of enterprise remote support provider Bomgar.

Unfortunately, many retailers don't appreciate the risks outdated remote-access technologies pose.

Besides, retailers are not experts in security or fraud detection. This is why when breaches occur, it's usually the card issuers that are first detect suspicious activity and link the fraud back to a suspected retail breach.

"Banks have made big investments in detection systems and software, and they've become experts in this area," says Erin Nealy Cox, a digital forensics and breach response expert with cybersecurity consultancy Stroz Friedberg. The consulting firm was involved in the investigation of the Heartland Payments breach that in 2009 led to the compromise of an estimated 130 million U.S. payments cards.

Regulatory guidelines issued for banking institutions, such as the updated authentication guidance released by the Federal Financial Institutions Examination Council, specifically address the need for stronger intrusion detection and authentication.

Creating a more secure payments environment, however, requires collaboration between banks and merchants. And this is an area merchant acquiring institutions have taken an interest in.

But guidelines for security vary widely from industry to industry. And reliance solely on compliance as validation for security is never a safe strategy. A comprehensive risk management strategy based on frequent risk assessments is essential.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 1 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.