Economic warfare on US retail chains: hackers target K-Mart – Part 2
This post is also available in: 
עברית (Hebrew)
Part 2
The first part focused on the initial revelations of the cyber attack, the discovery of the malware (malicious software) by K-Mart’s IT-team and how all this highlights the vulnerability of computer systems.
Sears’ spokesperson announced the target for the cyberattack was probably “the payment system”, as credit card information had been stolen. No details have been provided as to the kind of system Sears uses or its size, the roles it plays within the corporation and its layout. Nevertheless, it is highly likely that a giant corporation like Sears is using one centralized system to run most of its activities. The most well-known of these systems is recognized by its technological name, ERP (Enterprise Resource Planning System), akin to the one developed by SAP from Germany.
ERP systems are the driving force of organizations, as most of its activities are either carried out through them or are assisted by them. ERPs manage cash registers and customers’ funds, execute transactions and clearance vis-à-vis the credit card companies and banks, issue salary slips and transmit orders to make deposits, and even manage the payment of employees’ and managers’ pay along with purchase orders from the organization’s suppliers.
Therefore, the low-key announcement that “several stores were victims of cyberattack” should best be referred to with a grain of salt, because a “payment system” is a global, cross-chain tool – not a local issue at all. There is no economic, commercial, managerial or organizational reason to run cash registers, let alone the entire financial activity, of a giant organization with 1200 outlets, through 1200 separate computer systems. Therefore, whoever got hold of information on a single credit card would no doubt find it easy to gain access to the entire organizational ERP database and do with it as they please, including disrupting it altogether.
Who cloned the malware in Sears’ computer systems, and how, if at all, was any data retrieved and passed on to the hackers? All the open sources that covered the cyberattack on Sears bear no mention of any suspects, not even a clue as to their possible identity. In that case, one can only surmise who has any interest to attack a major retail chain. The answer is in fact – who doesn’t?
This may have been a home-grown attack. Some disgruntled employee, some a group of hackers sent to work for Sears, someone with their own criminal motives and so on. Any of these possible individuals could have attacked the computers of the organization he was working at. Most cyberattacks are caused by the employees themselves, weather intentionally or unwittingly. Alternatively, these attacks may have been perpetrated by those with relatively good access to the company’s computer array, such as data networks-contractors, hardware or software providers and so on. Another possible culprit is a country or an organization engaged in some conflict with the US who wish to inflict long term, ongoing economic damage.
A cyberattack lasting over a month on the servers and computers of a giant corporation like Sears, could – coupled with the latter’s other objective circumstances (financial liquidity issues) – topple it altogether, thereby rendering one hundred thousand people unemployed and bringing down the entire supply chain, if only due to its current, temporary, predicament.
This may be the time to enact a binding standard for information security, without which commercial organizations would not be licensed and could not be authorized to accept funds from clients or even operate. Just like public places, from factories to supermarkets, must have fire extinguishers, without which regulators would not let them operate, there is no reason why customers’ credit card information could be allowed to be placed in the hands of hackers. The same logic applies, so commercial organizations must be accountable to at least the most rudimentary government oversight in order to address the issue of information security.
