Report: Payment Information Breaches At Staples And Michaels May Be Linked

It’s no longer surprising news when hackers infiltrate the systems of a brick-and-mortar retailer and run off with our credit card numbers. Shoppers have come to expect that kind of thing as a normal part of shopping. However, it’s interesting (and a bit scary) to note that two relatively small breaches at national chains could be linked.

Update, 12/22/14: It turns out that these breaches were not linked.

How can two breaches at different retailers be linked? Criminals write or buy the programs that they use to infiltrate payment systems and dump payment card numbers so they can sell or use them. (Sellers in these markets do not, as you might expect, accept credit cards.) If two breaches use the same malware and dump credit card data in the same place, they are probably linked. Security reporter Brian Krebs has many sources in the banking industry, and has learned that the breach at Staples used similar “criminal infrastructure” to the earlier Michaels breach. Specifically, the networks used to control the malware from afar.

This could mean that the attackers in the two different breaches were the same people, or associates of those people. It could also simply mean that two separate attackers are using the same tools. What we do know is that banks have been alerted that cards used at Staples may have been compromised, yet the company says that it is still investigating whether any customers’ payment data was lost.

Link Found in Staples, Michaels Breaches [Krebs on Security]