Eddie Bauer LLC, which manages the Eddie Bauer clothing line, is just the latest company to issue a notice warning customers of a data breach.
On 5 July, 2016, infosec journalist Brian Krebs reached out to Eddie Bauer. Sources had told him about a pattern of fraud with customers who had used their payment cards at one of Eddie Bauer's 350+ U.S. locations. He wanted to know if the clothing chain retailer knew anything about it. They didn't at the time. But it didn't take long for the company to get back in touch. As Krebs explains in a blog post:
"... [On 18 August, 2016,] an outside public relations firm circled back on behalf of Eddie Bauer. That person told me Eddie Bauer — working with the FBI and an outside computer forensics firm — had detected and removed card-stealing malware from cash registers at all of its locations in the United States and Canada."
The clothing store chain has since disclosed the incident to the public, saying that the intrusion, which may have compromised some in-store customers' payment card details between January 2, 2016 and July 17, 2016, was part of a larger coordinated attack against "multiple restaurants, hotels, and retailers." Mike Egeck, chief executive officer of Eddie Bauer, explains the company is currently working to notify all affected customers:
“The security of our customers’ information is a top priority for Eddie Bauer. We have been working closely with the FBI, cyber security experts, and payment card organizations, and want to assure our customers that we have fully identified and contained the incident and that no customers will be responsible for any fraudulent charges to their accounts. In addition, we’ve taken steps to strengthen the security of our point of sale systems to prevent this from happening in the future.”
We could have guessed as much. That's how most data breach notices read these days.
Source: http://cardnotification.kroll.com/ But as Krebs points out, it doesn't have to be this way:
"Given the volume of point-0f-sale malware attacks on retailers and hospitality firms in recent months, it would be nice if each one of these breach disclosures didn’t look and sound exactly the same. For example, in addition to offering customers the predictable and irrelevant credit monitoring services topped with bland assurances that the 'security of our customers’ information is a top priority,' breached entities could offer the cyber defenders of the world just a few details about the attack tools and online staging grounds the intruders used. "That way, other companies could use the information to find out if they are similarly victimized and to stop the bleeding of customer card data as quickly as possible."
Not a bad idea for companies to start sharing threat intelligence with one another across private channels. I'm not sure that a data breach victim would want to too many intimate details about the attack in a public statement. Doing so could potentially expose the victim to future attacks. Even so, customizing a breach notice in some way could speak to the company's genuine concern for its customers' security, thereby helping to limit reputational damage in the breach's aftermath. What do you think? Are customized data breach notices a good idea? Let us know in the comments! News of this incident follows on the heels of HEI Hotels & Resorts having discovered point-of-sale malware at 20 of its locations.