Clothing chain Eddie Bauer has admitted the payment terminals in more than 350 of its stores have been siphoning customers' bank card details to criminals.
The retailer – which sells high-end clobber for hikers or anyone who wants to pretend they're outdoorsy – said malware infected its cash registers on January 2 and the code remained undetected for at least six months. The software nasty was cleaned up on July 17.
Anyone who used their credit or debit card at any of the group's 350 stores in the US and Canada during that time may well have handed over their card numbers to fraudsters. The malware silently skimmed people's payment information during transactions and fed the data to crooks to create cloned cards for spending sprees.
"We want to assure you that we have fully identified and contained this incident. Unfortunately, malware intrusions like this are all too common in the world that we live in today," the company said in a statement.
"In fact, we learned that the malware found on our systems was part of a sophisticated attack directed at multiple restaurants, hotels, and retailers, including Eddie Bauer. We are conducting a comprehensive review of our IT systems to incorporate recommended security measures in order to strengthen them and prevent this from happening again."
The retailer said that not all card purchases were skimmed, and the infection didn't reach its online sales site. To be on the safe side it's offering a year of identity theft protection for customers with Kroll, something HEI Hotels failed to offer when it was hit by a similar infection earlier this week.
"Unfortunately, this type of attack will continue until organizations that accept credit card payments fully deploy end-to-end encryption to protect payment information as soon as it is captured into the system, until the time it reaches the payment gateway," said Jason Hart, CTO of Data Protection at Gemalto – which has a lot of experience with being at the sharp end of a hacker's toolkit.
"Two factor authentication must be in play as well, to ensure non-authorized users can't access the company's network or their payment processor's network. Until these practices are followed, you can expect to see more of this type of large-scale hacker activity." ®