Hackers Hit Kmart, Chipotle & Others

Cybersecurity concerns have flared in recent weeks with the revelation of several high-profile data breaches. Hackers have scored success infiltrating the systems of Chipotle, Kmart, GameStop and OneLogin, putting everything from consumers’ credit card information to their personal data at risk. For promotional product companies, the digital incursions highlight the importance of having strong cybersecurity protections in place, industry tech experts say.

In a press release, restaurant chain Chipolte announced that hackers inserted malware onto point-of-sale devices at some of its 2,250 locations between March 24 and April 18. The malware was designed to access payment card data from cards used on the restaurants’ POS devices. The nefarious program searched for track data, which can include card number, expiration date, internal verification code and possibly a cardholder’s name. Chipolte said there was no indication that other customer information was affected.

In another breach, consumer electronics retailer GameStop confirmed last week that digital criminals accessed payment card data on its website,, between August 2016 and February 2017. Compromised information reportedly included credit and debit card numbers, as well as names, addresses and card verification codes. The information was said to be for sale online. “GameStop has and will continue to work non-stop to address (the breach) and take appropriate measures to eradicate any issue that may be identified,” the retailer said in a statement.

Meanwhile, Kmart announced May 31 that store payment data systems at unspecified locations were infected with malicious code that went undetected by antivirus systems. Based on a forensic investigation, the retailer found that criminals were unable to obtain personal identifying information of Kmart customers, such as names, addresses, social security numbers, birth dates and email addresses. However, certain credit card numbers were compromised. “Given the criminal nature of this attack, Kmart is continuing to work closely with federal law enforcement authorities, our banking partners and IT security firms in an ongoing investigation,” a company statement said. “We are also actively enhancing our defenses in light of this new form of malware.”

Perhaps the deepest hacker penetration came in the OneLogin breach. OneLogin acts as a kind of password manager, managing the password and login information for enterprise and corporate clients such as hospitals, law firms, financial companies and more. In essence, the company provides a central sign-in point so clients and their personnel can safely access popular sites and services, such as Microsoft and Google accounts – or at least that’s the intention. In the recent breach, an unidentified “threat actor,” as OneLogin called the perpetrator, got a hold of proprietary keys to the company’s database tables. Using these keys, the hacker accessed information about users, apps and various security keys. It’s even possible customer data was decrypted. The attack potentially affected thousands of customers. In the wake of the breach, OneLogin sought to strengthen its infrastructure through expanded threat hunting activities, enhanced infrastructure and application encryption, and more.

Eric Shonebarger, chief information officer at Hit Promotional Products (asi/61125), says when dealing with information security, it’s important to remember three things: “The first is that just because you’re compliant to a given regulation, that doesn’t make your data secure,” he says. “Threats are constantly evolving, and companies must stay engaged with their changing business processes and the threat landscape to stay secure.”

Secondly, there is not a single magic bullet distributors and suppliers can purchase to fully protect their companies. “Good security takes layers,” Shonebarger says. “You should have a firewall. You should have an intrusion detection system. You should use good passwords and two-factor authentications when possible. You should encrypt your data. The idea is that even if one of these security measures fails, you still have other measures in place to detect and mitigate threats.”

Lastly, distributors and suppliers must establish policies and procedures for best security practices, and then educate employees so that they comply with them, says Shonebarger. “Security is only as good as the people and the training you have in place,” he says. “It doesn’t matter if your database is encrypted if someone from accounting is storing credit card numbers in an excel spreadsheet. Employees have to be trained and policies put in place to ensure best security practices are followed.”