Retailer Eddie Bauer's CEO reported that the chain's in-store point-of-sale (POS) system had been infected with malware for a six-month period during which time payment card information may have been accessed by unauthorized personnel.
The outdoor clothing and equipment retailer's 360 locations were all impacted between Jan. 2, 2016 and July 17, 2016, but sales that took place through the company's online stories were not impacted. The number of customers affected was not released, but the company said not everyone who bought something in one of its stores was caught up in the scam.
Eddie Bauer is not disclosing the number of customers impacted nor would it specifically name the type of malware other than calling it "sophisticated", a company spokesman told SCMagazine.com in an email.
“We want to assure you that we have fully identified and contained this incident," wrote Eddie Bauer CEO Mark Egeck in an open letter to customers. "Unfortunately, malware intrusions like this are all too common in the world that we live in today. In fact, we learned that the malware found on our systems was part of a sophisticated attack directed at multiple restaurants, hotels, and retailers, including Eddie Bauer."
"Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale. And unfortunately, POS systems are often the weak link in the chain -- they should be considered insecure even after implementing EMV," George Rice, senior director, payments, HPE Security-Data Security, told SCMagazine.com in an email.
The company has started the process of notifying those affected and said it will provide 12 months of identity protection through Kroll to those who used the POS system during this period.
Updated with George Rice's comment.