Spec’s, a Texas based liquor store chain, the second largest wine merchant, with 165 stores in several states. Evidently, 34 of those location were breached in a 17 month long network and system penetration exploit. It appears that about 550,000 credit card records were stolen during that time. The breach occurred at smaller stores in the Houston area, and it seems that their larger superstores were not part of the heist.
Once again, as in the Neiman-Marcus and Target breaches, the intrusion was discovers by the banks and card processors who noticed a pattern of fraudulent activity on cardholders accounts occurring shortly after a purchase at Spec’s. A fuller article is available on Sophos.
It appears that the exploit may have been the result of actual physical access to the affected locations, perhaps by someone posing as a corporate network admin, or ISP employee there to do routine maintenance. This may be why the damage was limited to smaller stores in the Houston area. The company said that no employees appear to have been involved. The company indicated that they have been cooperating with the police, who asked them to leave the exploit in place and functional in an effort to track down the perpetrators. While that may be great for the cops, it is a little tough on innocent customers who become new victims of the cyber-crooks.
Spec’s is a family owned business. As an IT security consultant that has worked with small and mid-sized privately held businesses for over a decade, and I say that most of these companies are very focused on reducing expenses to drive more profit to the bottom line. Many a small business owner as blanched at the cost involved in setting up a truly secure network operation, or have sub-optimized the existing security by using short obvious passwords and sharing administrative credentials with employees to make it easier to connect to company resources.
I can only reiterate that the decision is NOT whether the cost of proper security is too high. Instead you have to decide if you want to pay a lot now, or MUCH MORE later, and suffer the damage to your company’s reputation with your customers.Share
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com