Dive Brief:

• Eddie Bauer disclosed Thursday that malware has infiltrated its in-store point-of-sale systems, granting cybercriminals access to customer payment card information on purchases made on various dates between Jan. 2 and July 17.
• “We have been working closely with the FBI, cybersecurity experts, and payment card organizations, and want to assure our customers that we have fully identified and contained the incident and that no customers will be responsible for any fraudulent charges to their accounts,” Eddie Bauer CEO Mike Egeck said in a statement. “In addition, we’ve taken steps to strengthen the security of our point of sale systems to prevent this from happening in the future.”
• Third-party digital forensic experts hired by Eddie Bauer determined that the card data breach was part of a much larger coordinated attack on a range of retailers, restaurants and hotels. Cards used for online purchases at eddiebauer.com were not affected, according to the outdoor apparel retailer.

Dive Insight:

Eddie Bauer has quite the mess on its hands, and cleaning it up won’t be easy—or cheap. The retailer is currently in the process of notifying shoppers whose payment information may have been compromised, and has contracted risk mitigation and response services firm Kroll to offer affected customers free identity protection services for 12 months. Eddie Bauer also is working with payment card networks and card-issuing banks to monitor for fraudulent activity on cards used during the January-July timeframe.

In an open letter published on the Eddie Bauer website, CEO Egeck wrote: “We want to assure you that we have fully identified and contained this incident. Unfortunately, malware intrusions like this are all too common in the world that we live in today.”

Egeck’s right: Malware intrusions are a reality of doing business in the 21st century. Eddie Bauer is not the first retailer in hacker crosshairs, of course—both Target and Home Depot have been the victims of hacks in recent years. Retailers in fact now experience the most cyberattacks of any industry sector—three times as many as the previous top target, the financial industry—according to information and communications technology firm NTT Group's 2016 Global Threat Intelligence Report, issued in April.

So why aren’t retailers taking more decisive steps to protect themselves and their customers from harm? Blame hubris. There is a massive disconnect between reality and IT professional confidence, according to security, compliance and IT operations solutions firm Tripwire’s 2016 retail cybersecurity survey.

While a third of retailers surveyed by Tripwire said that a breach involving personal data had occurred at their companies, implementation of breach detection technology has nevertheless remained flat. In addition, companies with larger revenues monitor their systems less frequently: 66% of IT professionals working for organizations with revenues of less than $100 million check their compliance at least weekly, while just 55% of those working at organizations with revenues of more than $100 million said they do so. Even so, 90% of survey respondents believe they could detect a data breach within their critical systems in one week or less, and 75% contend they could detect a breach within 48 hours.

“Unfortunately, these results indicate that we can expect retail breach activity to continue in the future,” Tripwire's Director of IT security and risk strategy Tim Erlin said in a statement. “The increase in confidence connected with speed of breach detection is particularly surprising, especially in combination with partial implementation of detection tools. Together these results indicate while retail organizations might feel better about their cybersecurity capabilities, there’s still a long way to go to close the gap between initial compromise and detection.”