The latest retail data breach demonstrates that hackers will victimize whoever is vulnerable.
America’s Thrift Stores, an Alabama-based, 18-store for-profit chain that sells donated items and then contributes a significant portion of the profit to local charities, has been breached. Hackers used malware to compromise the systems of a third-party service provider, which gave them access to the America’s Thrift Stores network.
“This breach allowed criminals from Eastern Europe unauthorized access to some payment card numbers,” the company said in a statement. “This virus/malware is one of several infecting retailers across North America.”
The U.S. Secret Service so far believes only customer card numbers and expiration dates were exposed in the breach, which affects transactions made between Sept. 1 and Sept. 27, 2015. Hackers are not believed to have had access to personal customer information, such as name, phone number or email address.
Nonetheless, the Krebs on Security blog reports that banks are detecting patterns of fraud relating to cards used at America’s Thrift Stores. This suggests criminals are making counterfeit copies of payment cards using stolen card data.
Two years after the infamous breach at Target that resulted from a compromise at a third-party vendor, hackers are still finding outside business partners a useful means of penetrating retailer networks. The fact that organized criminals are targeting a small regional chain like America’s Thrift Stores in this manner may indicate that larger retailers have improved their overall network security.
It’s also worth noting that a large-scale counterfeit payment card operation is still possible. While EMV compliance would not stop this type of network intrusion, EMV cards are difficult to counterfeit. In the future, hopefully the potential damage from the theft of customer card data will be less severe as a result.