Thursday, October 25, 2012

Barnes and Noble POS Breach: My Interviews with Store Managers

Now before we begin, I'm a big fan of reading and of Barnes and Noble in general so I found this particular breach very interesting. After working with them as a customer a few years back and even being considered for a few security positions in their organization I felt somewhat enamored by them. During these encounters I was always left with a good impression of the people, culture and  business. So knowing this I became very interested in their breach and wanted to find out the most I could about it and how they handled the situation.

Once I heard they were breached I spoke with two store managers regarding the incident and their impression of how it was handled. The first store I visited wasn't part of the breach, but I went there to get a better view on how they were handling the incident in general. Once a POS is breached it's imperative that you not only replace and remediate the systems which were abused, but to also eradicate the possibility of an attacker coming back. This would be part of the containment and eradication phases in the incident handling process. During my visit to the store I talked with the store manager on staff who spoke freely about the incident, or of which she was aware of, without questioning me or why I was there.

From her responses, only the PIN pads were effected and altered by an outside party. To her knowledge this was not an inside job. She also mentioned that they knew about the incident for the past month or so and were working with federal agents to gather more information. The store manager also said that as soon as the breach was found they removed all PIN pads from each of their 700 stores in the same day and are now looking into further details. This to me shows that Barnes and Noble took this breach seriously by moving quickly to erradicate the threat of additional theft, especially with the upcoming holiday season arriving. I went to this store on purpose to see how they were dealing with the incident as a whole, and not as isolated incidents. They passed this test.

After first going to a store that wasn't hit, I than spoke with a store manager via a phone call at a site that was targeted. This store happens to be about 10 miles from the first store I visited and in a much wealthier part of town, which leads me to think that the thieves had a good idea of where they were aiming based off the store locations. This is a theory, but it would make sense if you're trying to make money, hit the place with debit/credit cards that have the most on them; common sense really.

Anyway, when speaking with this store manager he seemed very helpful at first when I asked him the same questions about how it happened, when it happened and if they'd be getting the PIN pads back, if at all. At first he was very helpful and gave me the same canned answers as the first store manager, but after he realized that I was starting to ask more technical questions he diverted me to another associate after a few minutes of hold time. Apparently, I was taken as a someone from the media and was forwarded to someone that was slightly more polished with their answers, which I found very reassuring once again. They passed another test.

Overall, everyone at one point in time is vulnerable to attack, but when in reality it's how you deal with the fall out that keeps you from becoming an even bigger mess. After a first glimpse of how Barnes and Noble responded to the incident by removing the effected systems and giving the people at their shops the knowledge to speak, without giving to much away, and diverting curious folks like myself to more "in the know" individuals is a sign that they're taking this breach very serious; as they should. And in the long run this could very well save them from additional embarrassment. They also have a list of stores that were targeted on their site and are being transparent about the breach. It's my opinion that as of right now they're dealing with this breach in a responsible manner, which in the long run could be one of their saving graces.

You can view the breach notification released by Barnes and Nobel here for further details: https://oag.ca.gov/ecrime/databreach/reports/sb24-36794

No comments:

Post a Comment