By Charles Leaver

Far-reaching Michaels breach calls attention to endpoint protection

Not only are hacking incidents occurring in greater numbers, but individual incursions are lasting longer. Equipped with a sophisticated set of tools, cybercriminals are not just able to breach internal infrastructure, but to remain there, undetected, for long periods of time. Part of the reason this is happening is because hackers operate with greater cohesion. The strength of their attacks is more coordinated, and the damage they cause can therefore be steeper. But another key reason criminals can infiltrate systems for extended periods of time is because many of their victims lack the endpoint protection software to keep intruders out. Such security vulnerabilities can be present in companies of all sizes. A recent and extremely prolonged incursion on a large retail chain is proof that companies at every operational level must enact a robust system of data loss prevention or risk long-term and potentially devastating consequences.

Michaels is latest retailer to fall victim to attack
Michaels Stores Inc. – a popular arts and crafts chain with over 1,200 outlets across the country – is still coping with the fallout of a breach that was discovered back in January. The malicious incursion, which was first reported by noted independent security expert Brian Krebs, was initially treated with hesitation on the part of Michaels, whose administration said they were not willing to confirm or deny a breach. But in the intervening months it has become clear that an attack did in fact happen, and that its damages are widespread. The company released an announcement on April 17 reporting that they had succeeded in containing the incursion and restoring the security of their systems. The total number of customer credit cards affected stands at 2.6 million, although the company downplayed that number by pointing out that it represents only seven percent of customer payments that occurred during the time of the breach.

The time attack went undetected suggests lack of endpoint protection
What is particularly alarming about this attack is the sheer amount of time over which it happened. According to the store’s own statement, the incursion lasted more than eight months, from May 2013 to the end of January 2014. The idea that private customer data including credit card numbers was vulnerable for the better part of the year will doubtless be disconcerting to the store’s clientele, and it will not be surprising if Michaels experiences a big drop in profits for the foreseeable future. Addressing the store’s customers, CEO Chuck Rubin said his business will be making every effort to meet the needs of the victims.

“Our customers are always our number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused,” he said. “We are committed to assisting affected customers by providing fraud assistance, identity protection and credit monitoring service.”

Organizations must not only assist customers, but also themselves
While it is good that Michaels is providing its customers with credit monitoring, fraud help and other recuperative services, none of those things will do anything to prevent a future breach. That is why in the wake of an attack a company must be as proactive about evaluating its data leak prevention infrastructure as it is about meeting the security needs of customers. According to Rubin, the store has plans to strengthen its security in light of the attack.

“In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance,” he said. “Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”

Get the Blog Here