Weekly News Roundup: January 31, 2014

Some news highlights from around the world this week including yet another possible breach at a major U.S. retailer, word that costs from the Target data breach may exceed $1 billion, and a new malware strain is believed to have infected at least 45 retailers around the world.

The New York Times – Michaels Stores Is Investigating Data Breach – Maybe you’ve heard this one before: a major U.S. retailer is investigating a potential security breach with the Secret Service involving customers’ credit card information. Michaels is a Texas-based arts and crafts retailer with more than 1,000 stores across the U.S. and Canada. At this point the breach has not yet been confirmed, but it wouldn’t be the first time Michaels has lost card data; the company was also hit by a POS skimming operation in 2011.

Twin Cities Pioneer Press – Analyst Sees Target Data Breach Costs Topping $1 Billion – An analyst at Jeffries this week tried to make a rough estimate of Target’s liability from its holiday data breach, which lasted from Nov. 27 to Dec. 15. The final tally: $400 million to $1.1 billion. That’s excluding outcomes from the 70-plus lawsuits pending in U.S. courts.

PC World – Tor-enabled malware stole credit card data from PoS systems at dozens of retailers – A bombshell this week from researchers at RSA: a memory-scraping malware program called ChewBacca has infected 119 PoS terminals within 45 unique retailers in the U.S., Canada, Australia and 11 other countries. Indications show that over 50,000 unique payment cards have been compromised, including track 1 and track 2 data captured at PoS terminals. The malware installs a Tor proxy client on the infected systems and connects to a server via a .onion address. The .onion pseudo-TLD is used by services that can only be accessed from within the darkweb Tor network. According to the RSA researchers, the malware has been in use since Oct. 25. See also: RSA Blog.