Following the news about the noodles & company is probing a credit card breach that is said to have hit several of its 500 stores. IT security experts commented below.
Brad Bussie, Director of Product Management, STEALTHbits Technologies:
“Anti-virus and anti-malware are unable to keep pace with the emerging threats, and we are seeing that daily with company breaches. The thing to remember about malware is that it needs a delivery mechanism. Payment card systems and point of sale systems should be completely isolated and hardened to create a minimal attack surface. Organizations that allow removable devices, internet browsing, and email on payment card networks are literally asking for a breach. When you cut off the traditional methods of malware propagation, the number of breaches will fall significantly. Companies should re-evaluate the systems they have deployed and – if they’re not already – start putting security first. Malware is insidious.”
Craig Kensek, Security Expert, Lastline:
“The company has to be given credit for being relatively transparent about this. It’ll be up to their management team as to whether they want to post anything in company locations. There is a question as to how to notify customers who made purchases at affected locations. This probably won’t happen. There was a rather long window, 6 months, before this breach was discovered. Not good, and the company’s security team is going to have to step up the security they have in place.
“Noodles and Company is placing the onus on customers to examine their credit card bills for any unusual transactions (which should probably always be done by all consumers, anyway). Ultimately, customers who do see strange charges on the cards should follow the instructions given by the company. The advice is ‘standard practice.’
“Target offered customer’s whose credit card/debit card info was compromised a free credit watch service for a year. Noodles and Company may want to consider this for affected customers.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.