Retailers Hit by Credit-Data Breach Smaller Than Target’s

Ukrainian hackers have attacked several dozen small- and medium-sized U.S. retailers in data raids that appear to be smaller and less sophisticated than the ones that hit Target Corp. and Neiman Marcus Group Ltd., according to a cybersecurity firm.

RSA Security LLC discovered the theft when it found a large cache of stolen data on a server used by the hackers, according to an analysis posted on the company’s website today. The breach, which started Oct. 25 and continued into last week, affected at least 41 companies, including one medium-sized retailer and several gas station chains, said an RSA executive, who asked not to be named because the details are confidential. The hackers compromised credit-card data for about 50,000 customers, the executive said.

RSA, a unit of EMC Corp., said it has notified the FBI and the retailers, which it declined to identify. The hackers stole approximately 25 million transaction records -- though the majority were duplicates or unusable -- as they raided businesses across Texas and California, among other states, the RSA executive said.

Jenny Shearer, a spokeswoman for the Federal Bureau of Investigation, declined to comment on whether the bureau is investigating the hacking report.

The Target and Neiman Marcus breaches raised alarm among consumers because of the size and sophistication of the attacks. Target said yesterday the hackers used credentials stolen from a vendor to break into their payment system. U.S. Attorney General Eric Holder confirmed the Justice Department is investigating the Target attack at a Senate committee hearing yesterday.

‘Bad Guys’

Michaels Stores Inc. disclosed Jan. 26 some of its payment-card data may have been used fraudulently, saying the matter is still under investigation. The hacking attacks exploited retailers’ point-of-sale, or POS, systems, which process more than $3 trillion in U.S. transactions a year, according to industry newsletter The Nilson Report.

“Hopefully we’re learning the lesson that it is literally not possible to fully secure systems like these given how massively complex they are,” said Paul Henninger, global product director for BAE Systems Applied Intelligence, a security division of the U.K.-based defense company. “Over and over again, the bad guys keep finding a hole in the network.”

The data breaches are complicating matters for retailers as they try to attract balky shoppers after waging price wars during the holiday shopping season. Target, which has said as many as 110 million customer accounts were compromised between Nov. 27 and Dec. 15, said sales at its U.S. unit were “meaningfully weaker” after the data theft was disclosed. Neiman Marcus said Jan. 23 that about 1.1 million credit cards may have been compromised.

ChewBacca Attack

Retailers are working on new initiatives to regain consumer confidence, including pushing card issuers to adopt chip-based smart card technology widely used in Europe, according to the Retail Industry Leaders Association, an industry trade group. The retail association also formed a cybersecurity leaders council to share information on attacks.

The raids on the smaller retailers used a malicious software dubbed ChewBacca, after the Star Wars character, that allowed the hackers to scrape unencrypted credit-card data directly from the memory of POS terminals, said RSA, whose Tel Aviv unit first discovered the stolen data. Retailers in Canada, Australia, the U.K. and Russia were also hit by ChewBacca, RSA said.

“The memory scanner dumps a copy of a process’s memory and searches it using simple regular expressions for card magnetic stripe data,” RSA said in the posting. “If a card number is found, it is extracted and logged by the server.”

Security Measures

Although the volume of credit-card data compromised in these attacks was smaller than the breaches at Target and Neiman Marcus, the hackers still easily circumvented the retailers’ security measures, at times scooping up thousands of transaction records a minute from the POS systems, the RSA executive said.

RSA traced the stolen cards back to the retailers and also identified Ukraine as the location of the hackers’ operations, the executive added.

The hackers logged in to servers containing the stolen data with nine different user names, which may indicate the size of the gang, the executive said. The hackers, who appear to be less experienced than those who raided Target, set up the server two months before the attack using a computer in Ukraine, the executive said.

Fraud Losses

The U.S. accounted for almost half of $11.3 billion in global fraud losses on payment cards in 2012, according to the Nilson Report, which is based in Carpinteria, California. Gross fraud losses, based on $21.6 trillion in worldwide volume, amounted to 5.22 cents per $100. Average fraud losses for global card brands, including Visa, American Express and MasterCard, is about 6 cents for every $100 in total volume, according to Nilson.

Merchants paid $2.79 for each dollar of fraud losses in 2013, a 3.7 percent increase from a year earlier as online risks increased, driven by higher fees and interest to financial institutions, according to a study by LexisNexis and Javelin Strategy & Research.

Before it's here, it's on the Bloomberg Terminal.