Retailers chew on cybersecurity concerns in wake of Chipotle breach

Posted: May 29, 2017

The American restaurant chain, Chipotle, suffered a 3-week infection of its POS systems from March 24 to April 18 this year. Customer’s credit and debit card information was stolen during the breach, which was first disclosed on April 25. Read the detailed story at ITNews.

The stolen information could be used to create clone cards, drain bank accounts or make online purchases.

Chipotle cannot contact affected customers because it does not record email, phone or postal information alongside payments. Instead, it will have to wear the consequences of the theft, which include a fine based on the size of the breach and the number of records compromised. Credit card companies will also hold the chain liable for any fraud resulting from the breach.

There’s been no comment from the manufacturer of the POS devices in use by the chain.

What would this data breach mean for an Australian Retailer after Mandatory Data Breach Notifications are in place in 2018?

First off, the notification scheme only applies to retailers turning over more than $3 million. Assuming that’s you, as well as calculating the scale of the breach and how many records were affected, you would need to notify the Office of the Australian Information Commissioner that you had discovered the breach because it satisfies the test that the loss of data may lead to “serious economic and financial harm” to the individuals affected. You would have 30 days to make an assessment of the breach to determine the scale and notify the individuals affected IF you could, and notify the OAIC.

Failure to notify affected individuals and the OAIC could mean a fine of up to $360,000 for individuals and $1.8 million for a company.

Post-disclosure, you would also face increased scrutiny of your PCI compliance efforts, such as your data access policies, storage policies and network security credentials.

And obviously, there would be a knock-on effect to your sales in the form of reduced trust over your payment methods. You would have to do a lot of marketing to remedy that trust breach.

What can YOU do to avoid the same situation?

Given the scale of the Chipotle infection, affecting most of the company’s 2,250 outlets, it’s likely the malware was distributed to the POS machinery over a network rather than a manual infection vector for each machine. This points to a breach of network admin credentials to authorise the distribution of the malware.

There are many actions that you can take to harden your network against such a breach. The first is a security policy review, where the safeguards over the integrity of your data and who has access to it are checked by an external party like Computer One on a regular basis.

The next is penetration testing where your network’s defences are tested in real world situations. Automated, remote and on-premises tests will “battle harden” your network and staff and highlight security gaps. It’s expensive, but it’s less expensive than a fine or the loss of sales associated with a decrease in trust for your brand.

The third is the detection of advanced persistent threats. The kind of malware that sits quietly on your network, taking commands from a remote network and feeding data out to it for as long as it remains undetected. Although it keeps a low profile, this kind of software can be detected in operation and stopped from being effective. There are multiple products that Computer One recommends at this point in time, from Cisco Umbrella and Advanced Malware Protection to DarkTrace.

Get in touch if you would like to know more.