The data of millions of shoppers could be in the hands of hackers as cyber attacks on American retail stores become more widespread, the U.S. Department of Homeland Security said Friday.
In an advisory, the DHS said that more than 1,000 U.S. businesses have fallen victim to hacker malware that targets cash register systems and steals financial and personal information from customers after they swipe their credit cards.
Specifically, the DHS warned retailers about a type of malware called Backoff, which was discovered last October and most recently infected computer systems in 51 United Parcel Service (UPS) stores throughout the country.
The breach compromised data on 105,000 customer transactions in UPS stores between January and August, and while the company doesn’t believe that any customers have been affected by fraud due to the malware infection, it fears hackers may have stolen shoppers’ names, email addresses and payment information.
As a result, the company has offered free identity protection for customers who made transactions in its 51 affected stores.
The U.S. grocery chain, Supervalu, was also the victim of a cyber attack this summer when 200 of the chain’s grocery and liquor stores were infected with malware between June 22 and July 17.
Up until this month, Backoff was undetectable by antivirus software, which is how it stole information from companies for long periods of time.
Jerome Segura, a senior security researcher at Malware Bytes, a cyber security software firm, said that Backoff isn’t much different than other malware, except that it’s designed to target high-value computer systems.
“Once the bad guys realized they were able to penetrate larger networks, they saw the opportunity to develop malware that’s specifically for credit cards and can evade antivirus programs,” Segura told The Associated Press.
Hackers have been able to go undetected using Backoff, partially because it hasn’t been widely distributed over the Internet.
That’s how the massive holiday-season data breach at retailer giant Target, which compromised 40 million debit and credit card accounts in late 2013, was able to go on for weeks.
But now, companies, including Target, are taking steps to defend against these attacks.
Banks and businesses are encouraging retailers to update their payment systems so that they can accept chip-based credit cards, which allow for more secure transactions.
“The weakness is the magnetic stripe,” said Avivah Litan, a security analyst for Gartner Research told The New York Times. “I can buy a mag stripe reader on eBay and easily read all the data from your credit card. It’s an antiquated technology from the ’60s.”
Some credit card companies have set an October 2015 deadline for retailers to upgrade to this new payment system.
But in the meantime, DHS is recommending that all retailers scour their computer systems for the malware that may be hiding within.