In April, hackers breached the Point of Sale (PoS) systems of iconic New York department stores Saks Fifth Avenue and Lord & Taylor – which are both owned by Hudson’s Bay Company. This latest cyber-attack against a major retailer resulted in the potential compromise of millions of payment cards.
It has been reported that 125,000 cards from the loot have been released for sale on the dark web. The information confirmed by Hudson’s Bay Company provides enough detail to identify pathways the attacks may have taken.
Australia’s Notifiable Data Breaches (NDB) scheme requires any retailer with a turnover of more than $3 million holding customer data to report a successful cyber-attack and inform all affected individuals. The stakes are high – so there are a few things for Aussie retailers to keep in mind to help the prevention of similar attacks.
This was a network takeover
While the Hudson’s Bay hackers were ultimately aiming at the PoS systems, they likely needed to traverse the organisation’s network to get there. This means the attacks would have taken some level of control within the company’s network.
As seen in past PoS attacks, such as those on Target in 2013 and Home Depot in 2014, privileged accounts are the primary enablers of full network compromise. A privileged account is how administrators log into corporate resources such as servers, switches, databases and the applications they manage – and they are powerful. They can allow anyone who has possession of these credentials to control security systems, organisational resources and access sensitive data.
Attackers usually gain entry through phishing attacks, steal credentials from the endpoint and elevate privileges while moving laterally across the network towards a retailer’s PoS systems.
Once there, privileged credentials can be used to pull out the payment card data while avoiding detection and setting off any alarms.
The Hudson’s Bay hack provides a timely lesson to other retailers about best practices in preventing PoS breaches.
Prevent network jumping
If we consider the patterns of previous breaches, it’s likely the attackers jumped from an employee endpoint to the PoS systems, highlighting a security gap. Secure retail networks need to be segmented from normal networks. Always. Failure to do so is failure of one of security’s most basic principles.
In the case of Hudson’s Bay, compromise of its privileged account provided attackers with network control and easy access to the PoS system.
Even with proper segmentation, attackers can exploit privileged accounts to build a bridge between the networks – but these types of attacks have typically been seen by nation-states targeting critical infrastructure or financial institutions.
What this means for you
The attacks on Saks and Lord & Taylor had to achieve incredibly deep reach into the Hudson’s Bay network to compromise all its PoS systems. Deep attacks like this often require the company to rebuild its network to remove the attacker and regain trust in the infrastructure – not a quick or easy exercise!
Simple security hygiene, like requiring multifactor authentication on all privileged accounts and network segmentation can prevent attackers from escalating across the network.
If privileged accounts are being used on vulnerable devices, the attack surface will continue to expand – allowing multiple possible locations for attackers to build a bridge and reach PoS systems. Automating the vaulting, protection and monitoring of these credentials is critical to containing these attacks and maintaining the safety of your PoS system, associated networks and your customers’ data.
According to the first quarterly report following the introduction of the NDB scheme, a total of 63 eligible data breaches were disclosed to the OAIC in the first six weeks of the scheme. In a sluggish local market, Australian retailers can’t afford to add themselves to this list.
CyberArk is a global institution in privileged access security, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. CyberArk delivers the industry’s most complete solution to reduce risk created by privileged credentials and secrets. For more information visit www.cyberark.com