April 22, 2013

Multiple sources in law enforcement and the financial community are warning about a possible credit and debit card breach at Teavana, a nationwide tea products retailer. Seattle-based coffee giant Starbucks, which acquired Teavana late last year, declined to confirm a breach at Teavana, saying only that the company is currently responding to inquiries from card-issuing banks and credit card brands.

teabreachOver the weekend, KrebsOnSecurity received a tip from an anonymous reader who said Teavana had suffered a data breach that exposed credit and debit card information. A source at a major U.S. credit card issuer confirmed that the card brand has seen fraud rates indicative of a breach emanating from virtually the entire Teavana franchise, which spans more than 280 stores nationwide. Separately, a federal law enforcement official who asked not to be named said agents were indeed investigating a possible breach at Teavana.

On Sunday, I sent an inquiry to Teavana’s public relations folks.  Today, I heard back from Starbucks spokeswoman Jaime Riley, who said Starbucks “takes its obligation to protect customers’ financial information very seriously,” and that the company “has safeguards in place to constantly monitor for any suspicious activity.” But she said the company doesn’t comment on ongoing investigations.

“In the normal course of business, we are contacted by card brands and bank partners to participate in requests to ensure the integrity of all systems, and we participate fully in these requests,” Riley said. “If and when issues are ever substantiated, we will take action to notify and support customers in the most appropriate way possible.”

A source at yet another big debit and credit card issuer said his fraud team became aware of the problem in early March 2013, when the financial institution  began seeing a spike in fraudulent charges via counterfeit cards that were being used to buy high-dollar gift cards at Target retail locations.

teavana “It went from like nothing to 200 counterfeits in one week,” the source said.

The institution later found that nearly all of the counterfeit cards had previously been used at Teavana locations across the country, many as far back as late 2012 (Starbucks finalized its acquisition of Teavana on Dec. 31, 2012).  The source added that the thieves’ ability to clone cards means that the attackers had almost certainly installed malicious software that extracts data stored on the card’s magnetic stripe — most likely from point-of-sale devices when customers swipe their cards at the register.

If confirmed, the incident would be just the latest breach involving popular retail locations. Last month, Schnucks, a St. Louis based supermarket chain, disclosed that a data breach may have given hackers access to roughly 2.4 million credit and debit cards used by customers at 79 stores. Schnucks told the St. Louis Post-Dispatch that the company called in to investigate the breach — Alexandria, Va. based Mandiant — found evidence that intruders had planted malicious software on the company’s network that was capable of capturing magnetic stripe data.

I’ll have more on this developing story as updates become available.

31 thoughts on “Sources: Tea Leaves Say Breach at Teavana

  1. Daniel Wolf

    Glad we have someone like you that people can come to to disclose these issues.

  2. wiredog

    Glad I always use cash at retailers for amounts under $50 or so.

    Why are POS (heh…) terminals the sort of thing that can be trojaned? I know that every once in a while I see the ones at Giant rebooting and they run Windows XP. Is reasonably secure software that expensive that retailers would rather take the hit from insecure systems?

    1. pboss

      A likely guess is that they’re infected at the point of manufacture.

    2. saucymugwump

      “Why are POS (heh…)”

      One of my IT instructors would always say, regarding that abbreviation, “POS … [pregnant pause] … point of sale” while smiling.

      “Is reasonably secure software that expensive”

      You do not understand business people. For them, everything is a cost: employee vacations, employees sick days, toilet paper in the lavatory, software, etc. And the smaller the business, the more the owner thinks that these costs are coming directly out of his pocket.

      That is why computer security will NEVER be implemented without government regulation. Customer privacy and data is simply another cost. Some owners are clueless, like many of the people Brian writes about, but the ones who understand the problem just calculate that a hack is just another cost of doing business.

      Banks should be required to have ‘X’ level of security, but we have already seen how motivated the government is to regulate banks in any shape or form.

      I have been a victim of data theft. The company, Blue Cross, allowed data to be hacked for many people. I now have a credit freeze on my accounts to prevent identity theft. What was the penalty for Blue Cross? A one-year subscription to a credit monitoring service, with no liability for them whatsoever. Until this changes via law, Brian will have lots to write about.

    3. meh

      Why are they infected? Because they are using WEPOS (the POS stands for you know what), basically a gimped verison of XP that means you either don’t ever update it or you do and get stuck in a chain of some no-mans-land between full blown XP and a tight OS with the benefits of neither.

      IBM makes a lot of these, navigate their website to see how user friendly it is, search some XP forums for tips on securing XP and see how uniform the advice is… Look at the hardware these have versus the hardware requirements for most modern antivirus…

      These things are vulnerable because security is a cost, a cost few of the chintzy companies in America are willing to pay for. These things come out the door insecure and they stay that way for years – a lot of these things can and do pull up websites when the management isn’t around to see what they are doing… on IE6 without any real firewalls or AV and maybe even a nice 5 year old version of Java.

  3. Marcus

    Are we talking about CC Infos =CC number and CVV

    Or are we talking about CC Dumps for Instore Carding ?

    1. BrianKrebs Post author

      We’re talking about dumps. As I wrote in the article, the thieves were able to counterfeit cards so they could be used in stores. You can’t do that with just card number and CVV.

      1. stine

        You can if you’re only using them for online purchases. Otherwise you need track data.

        You mentioned Target, and i /assumed/ that that included target.com.

        1. voksalna

          Who would bother with hacking a POS system for getting only number + CVV? That is more of a bad PCI implementation problem, or really poorly done database storage (if the second, then that includes the first more or less by definition). At that level access, these people would have almost certainly captured the card data in transit or scraped RAM to obtain full dump.

          ‘I am not a crook’ but I would say that the time for using CC+CVV only is mostly passed for anything of much value without also having customer name and billing data (which mostly goes with database mention I made above). I nitpick because you say only CC and CVV. Even legitimate purchases will not go through almost all of the time without more data.

  4. Madmonkey

    I hope it has nothing to do with Wi-Fi security or WPS. I wonder if UPNP could be used to do the attack?

    1. voksalna

      I doubt it. Usually things like this are accessed via an employee doing things they should not be doing on a computer facing the internet or just making a POS system (often not patched) accessible to the internet in the first place. If this was 2000s, maybe. Why go for harder WPA2 cracking route and desperation for handshake and massive cracking attempt when open ports and as you might say “low hanging fruit” exist. The “low hanging fruit” in 2003, 2007, or so was often the vulnerable WIFI access points, when WEP and open networks were very big, but WPA2 is much more common now and so this has mostly changed (not totally, this still happens, but things tend to be more localised, not international, if it comes to WIFI attacks now).

  5. Cassandra

    Maybe *now* people will listen to me when I say we need to switch from shared secret card numbers authorizing transactions to some sort of public key challenge-response thing involving a chip on the card containing (but not having to transmit to possibly malicious terminals) a private key used to prove its identity? Then these kinds of attacks couldn’t work.

    Internet purchases would also be more secure, if they used this system and a card reader installed in the PC next to the mini-SD slot, and the operating system card reader API didn’t allow silent transactions (popup box user had to acknowledge, with amount and everything and with cancel button, displayed by the OS itself, so malware without root privs couldn’t bypass the user and make transactions even if the card was left in the slot).

    1. voksalna

      If you think this would work, and I do not mean to insult you, you should read up more on how malware works. 🙂

      1. Cassandra

        With a proper implementation, malware could not get at the private key, as the card would never transmit the private key to the machine it was inserted into, and the card would not itself be reprogrammable such that malware could infect the card itself.

        A replay attack could be ruled out by including a time-sensitive component in the challenge-response authentication. In fact, the challenge just needs to be sufficiently unpredictable. “Here, sign this random 1024-bit integer to prove you’re you” would probably suffice.

        That leaves malware either using the card-access API to do its own transactions or tricking the user into authorizing a transaction. The former can be defended against by users not leaving the card in something when they’re not making a transaction with it, and by forcing the malware to have to crack root in order to use the API to transact invisibly. Further defenses could be made at the hardware level — for example, the card reader could be a (non-reprogrammable) unit with a modicum of smarts, which won’t even let a card be inserted until the host computer tells it a transaction’s been initiated. Then a small clock-like LED readout on the reader could show the price. The card would be accepted then, used to authenticate the one transaction, and ejected automatically. If it came on unexpectedly there’d be a cancel button alternative to putting a card in — and a scrub for malware from a savvy user would be in the offing.

        As for malware tricking the user into making a transaction, at that point you’ve shifted from the realm of antivirus and similar defenses to the realm of con artistry and extortion. The defenses against those need to be of different character.

  6. BrianKrebs Post author

    Have a nice cup of tea. While you’re sitting there, have a look at your card statements. Carry on.

    1. voksalna

      Just wanted to state that this is nice, non-FUD, sane advice, since nobody else did. Everybody wants to make for panicking it seems.

    2. Julio

      Might not be a bad idea to request a new card number. Two of us in our household were hit by these hackers. Hundreds of dollars of Walmart gift cards purchased in the store on each of our cards.

  7. George

    Would some sort of opt-in system be feasible, where the CC purchase cannot be authorized until the user responds to a text authorization from the bank?

  8. jaded

    Since they are reporting that cards from across the entire chain are impacted, I’d say the chances are slightly higher that the data was siphoned off from a central location, and not from malware at each and every register.

    The original breach could have occurred at a retail location, possibly through their POS system, but I would think it’s a bit easier (and more effective) to install a sniffer in one HQ authorization server than it is to survey the entire chain and distribute malware to all locations. On the flip side, the HQ systems might have better defenses than their stores.

    And for those who insist on slagging WEPOS, it’s no harder to secure WEPOS properly than it is to secure XP properly. You disable all services you aren’t using, you use non-admin accounts to run the services you do need, you close all TCP and UDP ports (including SQL Express), you delete xplog*.dll, you prevent remote login, you disable USB mass storage devices, you add firewall rules to block all access to the internet from your POS devices, you add firewall rules to prevent all access to your POS devices except those needed for your software distribution and operation, you protect your systems by carefully guarding your domain admin credentials and never allowing them to be cached, you remove EXPLORER.EXE from the system, you delete email clients and all other unused software, you disable task manager, you find every tiny opening and you weld it shut. Then you check it again and again, you monitor the network, you install malware scanners and anti-virus software, you review the whole platform on a regular basis, you hire a Red Team to pen test it, you stay current on security issues and continue to patch and update the platform, and you have an independent auditor verifying your activities.

    Since you have to do at least that much for an XP system, what on earth would make you think XP is magically more secure than WEPOS, which is just a subset of XP?

    1. saucymugwump

      “you remove EXPLORER.EXE from the system”

      I thought that was not possible because Windows depends on it. That is not a problem when Patch Tuesday rolls around?

  9. voksalna

    Brian, I am grateful you did not use the bad pun ‘Teavana was unaware that trouble had been brewing in their POS systems for months.’

    Nobody should use this pun. 😉

    1. BrianKrebs Post author

      Heh, thanks. I should note that Starbucks releases its quarterly earnings today. It will be interesting to see if any of the analysts ask them about this breach, and/or if they mention it on their own.

      1. voksalna

        That would be a very interesting maneuvre, but I suspect they are not the sort of company that would make such bold statements. Maybe if Starbucks had a “Silicon Valley” or “Northeastern United States” type of attitude instead of a typical “Northwestern United States” corporate attitude. I have noticed these regional differences with interest when I consider stock trading.

        I do not consider Starbucks a direct competitor. Adagio maybe, or Twinings, judging from traffic, on the other hand, may see an increase in business?

      2. voksalna

        Hehe. Or there may be SPAM runs. What are affiliate programs like for hot beverages now? 😛

      3. voksalna

        Oh Opps, I should have re-read article again. I did not remember the part where they were acquired by Starbucks.

        Delay tactic then, maybe?

        Rest of what I said probably still stays — if it is delay tactic then I suspect they will lose some of the business anyway.

        Wish there was editing capability here too often.

  10. Ed Oppenheimer

    There is not enough information in the article to determine the attack method. It would be useful to know what brand of POS they are using, whether PINs were also intercepted, and whether or not tampering of these devices actually occurred. There are numerous points within the payment network where card details can be intercepted, and yet everyone is talking about a POS attack. I hope at one point we can get more information on the nature of this attack.

  11. Tom

    I’m coming late to this discussion and have nothing really useful to add to it … except to note that as of December 2011, when you created a new account on teavana.com, they sent you a confirmation email that included your password. I find it not very difficult to believe that their overall information security practices are very poor.

    I sent them an email and received no reply.

  12. latipac onu

    Schnucks and Teavana both started at the same time. But they were done differently. Schnucks was done location by location and Teavana was comped-all locations -all at once.

Comments are closed.