Spec’s, a Texas based liquor store chain, the second largest wine merchant, with 165 stores in several states. Evidently, 34 of those location were breached in a 17 month long network and system penetration exploit. It appears that about 550,000 credit card records were stolen during that time. The breach occurred at smaller stores in the Houston area, and it seems that their larger superstores were not part of the heist.
Once again, as in the Neiman-Marcus and Target breaches, the intrusion was discovers by the banks and card processors who noticed a pattern of fraudulent activity on cardholders accounts occurring shortly after a purchase at Spec’s. A fuller article is available on Sophos.
It appears that the exploit may have been the result of actual physical access to the affected locations, perhaps by someone posing as a corporate network admin, or ISP employee there to do routine maintenance. This may be why the damage was limited to smaller stores in the Houston area. The company said that no employees appear to have been involved. The company indicated that they have been cooperating with the police, who asked them to leave the exploit in place and functional in an effort to track down the perpetrators. While that may be great for the cops, it is a little tough on innocent customers who become new victims of the cyber-crooks.
Spec’s is a family owned business. As an IT security consultant that has worked with small and mid-sized privately held businesses for over a decade, and I say that most of these companies are very focused on reducing expenses to drive more profit to the bottom line. Many a small business owner as blanched at the cost involved in setting up a truly secure network operation, or have sub-optimized the existing security by using short obvious passwords and sharing administrative credentials with employees to make it easier to connect to company resources.
I can only reiterate that the decision is NOT whether the cost of proper security is too high. Instead you have to decide if you want to pay a lot now, or MUCH MORE later, and suffer the damage to your company’s reputation with your customers.Share