It’s a new week, and that means it’s time for the data breach du jour. The “winner” this week is Staples. What is most concerning, though, with this Staples incident as well as a number of other recent credit card data breaches, is that Staples seems to be the last to know. It seems reasonable to expect major retail chains to have the necessary security controls in place to detect and identify malicious or suspicious activity proactively. By the time the banks are reporting fraudulent activity on compromised cards, the proverbial horse has already left the barn.
I wrote about the alleged breach of Staples in this blog post:
There are reports emerging that yet another major retail chain may be the victim of a credit card data breach. The worst part about the news that Staples may have been compromised, though, is that the news is coming third-hand from card providers observing fraudulent activity rather than from Staples itself. Why does it seem like the affected business is always the last to know?
Brian Krebs wrote yesterday on the Krebs on Security blog that a number of banks have identified a pattern of fraudulent credit and debit card activity that appears to point back to Staples outlets in the northeastern United States. It’s news to Staples, though, which is now apparently investigating the issue.
“The identification of breaches through fraudulent activity is like finding out your house was burglarized by seeing your TV in the pawn shop window,” exclaimed Tim Erlin, director of IT risk and security strategy for Tripwire. “If this pattern in retail breaches isn’t familiar to you by now, you haven’t been paying attention.”
Krebs shared a quote from Mark Cautela, senior public relations manager for Stapes, explaining, “We take the protection of customer information very seriously, and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on [in] a timely basis.”
To be fair, the evidence against Staples is circumstantial, and it is reasonable for Staples to investigate to determine the veracity of the reports before commenting or responding further. History suggests, however, that the reports are likely accurate, which then begs the question, “Why does Staples need third-party financial institutions to let it know after the fact that its network has been compromised?”
Read the full post on CSOOnline.com: Fraudulent activity is first hint of a data breach.