Report: Payment Information Breaches At Staples And Michaels May Be Linked
Update, 12/22/14: It turns out that these breaches were not linked.
How can two breaches at different retailers be linked? Criminals write or buy the programs that they use to infiltrate payment systems and dump payment card numbers so they can sell or use them. (Sellers in these markets do not, as you might expect, accept credit cards.) If two breaches use the same malware and dump credit card data in the same place, they are probably linked. Security reporter Brian Krebs has many sources in the banking industry, and has learned that the breach at Staples used similar “criminal infrastructure” to the earlier Michaels breach. Specifically, the networks used to control the malware from afar.
This could mean that the attackers in the two different breaches were the same people, or associates of those people. It could also simply mean that two separate attackers are using the same tools. What we do know is that banks have been alerted that cards used at Staples may have been compromised, yet the company says that it is still investigating whether any customers’ payment data was lost.
Link Found in Staples, Michaels Breaches [Krebs on Security]
Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.