Retail cyber attacks have been increasing each year as a result of the vulnerabilities in point-of-sale (POS) systems and ecommerce.1 Well-known retailers like Neiman Marcus,2 Michaels,3 Sally Beauty Supply,4 P.F. Chang’s,5 and Target Inc.6 have been victims of recent cyber attacks. The Federal Bureau of Investigation (FBI), which joined in the investigations of the breaches, indicated that the attacks were carried out using memory-parsing malware in the POS systems.7
Most of these breaches began with phishing attacks that introduced malware through infected emails sent to employees who had network credentials. The malware loaded password-stealing software that infected POS systems, allowing hackers to record credit card transactions or personal information through memory-parsing malware.8 The damage done by these breaches is still not fully known, but the estimated cost of the Target Inc. breach alone ranges from $200 million – $1 billion.9,10,11,12
The reputation and financial losses incurred by the retail industry from recent attacks has led retailers to join together to create a sector-based Information Sharing and Analysis Center (ISAC) called the Retail Cyber Intelligence Sharing Center (R-CISC).13 ISACs, a product of Presidential Decision Directive (PDD) 63, are organizations that share information about the critical infrastructure of the United States to help prevent attacks by physical or cyber means.14 Some objectives of ISACs are (1) sharing information about suspicious activities, (2) sharing information that may prevent homicides, (3) monitoring key infrastructure facilities, and (4) sharing information for criminal investigations.15
R-CISC facilitate information sharing among retailers, to include anonymized data on attacks and, data on malware strains, software, vulnerabilities, forum activity, and real-time information attacks.16 Moreover, the ISAC structure provides a means for retailers to receive threat information from government and law enforcement entities like the Department of Homeland Security, Secret Service, and Federal Bureau of Investigation.17 The potential benefits of R-CISC include broad dissemination of best practices for safeguarding sensitive data such as PII, reducing potential breaches by sharing threat information across the retail industry, and collaborating with researchers in academia and industry to identify emerging technologies and future threats. In addition to creating the R-CISC, eligible retailer may join the Financial Services Industry ISAC (FS-ISAC) to coordinate consumer protection efforts.18
Membership in the R-CISC is open to retailers and merchants in all industries. Resources and contact information for the R-CISC can be found at www.rila.org/rcisc/home/pages/default.aspx.
This post was written by: Irvic Rodriguez
1 Trustwave, 2013, “Trustwave Reveals Increase in Cyber Attacks Targeting Retailers, Mobile Devices and E-Commerce,” February 13, accessed June 2014.
2 Krebs on Security, 2014, “Hotel Franchise Firm White Lodging Investigates Breach” January 31, accessed June 2014.
3 Harris, E.A., 2014, “Michaels Stores’ Breach Involved 3 Million Customers,” The New York Times, April 18, accessed June 2014.
4 Krebs on Security, 2014, “ZIP Codes Show Extent of Sally Beauty Breach,” March 25, accessed June 2014.
5 Hellmich, N., 2014, “P.F. Chang’s Investigates Data Breach Report,”USA Today, June 11, accessed June 2014.
6 Sidel, R., D. Germano, 2013, “Target Hit by Credit-Card Breach,” Wall Street Journal, December 19, accessed June 2014.
7 Kaiser, T., 2014, “FBI: Retailers Beware, Target’s Cyber Attack Was Just a Warm-Up.” Daily Tech, January 24, accessed June 2014.
8 Krebs on Security, 2014, “Email Attack on Vendor Set up Breach at Target,” February 12, accessed June 2014.
9 Krebs on Security, 2014, “The Target Breach, by the Numbers,” May 6, accessed June 2014.
10 Horavitz, B., 2014, “Data Breach Takes Toll on Target Profit,” USA Today, February 26, accessed June 2014.
11 Lambert, B., 2013, “One Estimate: Cost of Target Data Breach Could Hit $680 Million,” MinnPost, December 20, accessed June 2014.
12 Webb, T., 2014, “Analyst Sees Target Data Breach Costs Topping $1 Billion,” Twin Cities.com, January 30, accessed June 2014.
13 Dunn, J.E., 2014, “Worried US Retailers Battle Cyber-Attacks through New Intelligence-Sharing Body,” Tech World, May 16, accessed June 2014.
14 IT Law Wiki, undated, “Information Sharing and Analysis Center,” accessed June 2014.
15 The Governor’s Office of Homeland Security, “Maryland, Intelligence/Information Sharing,” March 2014, accessed June 2014.
16 National Council of ISAACS, undated, “About Us,” accessed June 2014.
17 Retail Cyber Intelligence Sharing Center, “About,” accessed June 2014.
18 Target, 2014, “Discover Target,” accessed June 2014.