Texan retailer Sheplers, an independent retailer of western and cowboy garments, has admitted that its payment systems have been breached and it had suffered a loss of customer information.
According to the company, impacted information included names, credit and debit card account numbers and expiration dates and it was payment systems were affected between June 11th and September 4th. It is not believed that its web store or PIN numbers were affected.
According to Data Breach Today, Sheplers is working with a leading computer security firm and law enforcement to investigate the incident. It said: “The security of our customers’ information is extremely important to us,” the retailer said.
“When we first received an informal tip from a financial institution suggesting the possibility of a breach, we hired a leading computer security firm to conduct a thorough investigation and suspended all electronic processing of payment cards for sales at our retail store locations until we could determine whether customer information was at risk.”
Tom Cross, director of security research at Lancope, said: “Unfortunately, we expect to continue to hear stories like this one, as attacks on point of sale terminals have proven to be an effective means for computer criminals to make money. Every organisation that processes credit card numbers with point of sale terminals that are connected to computer networks should assume that their network has already been targeted or will be targeted in the near future.
“Organisations that handle payment cards need to look at their exposure to attack, as compliance with industry standards does not necessarily equate with security. They also need to start looking inside of their networks to see if they can detect compromises already in progress. Many organisations lack the tools and processes needed to detect attacks once they’ve bypassed the perimeter. That’s an area that needs greater emphasis from information security programmes.”
Andy Heather, VP EMEA at Voltage Security, said: “This breach highlights a need for companies to place tighter controls on how their customers’ sensitive information is stored and protected. If data is left unprotected, it’s not a matter of ‘if’ it will be compromised – it’s a matter of ‘when’.
“Even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances. When a company is storing sensitive information about their customers, the risk is to the data itself. Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection – usually via encryption. It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data.”