Store opening: Retail malware
Store opening: Retail malware

Technological vulnerability and valuable data make retailers the latest target for malware attacks, says Jenny Craig CIO Abe Lietz. Karen Epper Hoffman investigates.

Jenny Craig has built a name for itself over the past 30 years by helping its customers shed pounds. But one thing the weight management and nutrition company does not want to help its customers lose is their personal and financial information. 

To that end, the company, a unit of Nestle, is taking pains not to become the latest in the growing list of retail outfits that has fallen prey to malware attacks, says Abe Lietz, chief information officer and vice president of information systems for Jenny Craig. “To a certain extent, this has been going on for a good period of time,” says Lietz. “As retailers are modernizing their endpoints, often adding more commodity operating systems, they are becoming more approachable to attacks. We're definitely hearing about it more of late.”

The idea that attacks on retailers is on the rise is corroborated by research and media attention. According to the “2013 Trustwave Global Security Report,” released in February, the retail industry last year made up 45 percent of data breach investigations uncovered by the company – a 15 percent jump from the previous year – due to a growth in hacks of retail e-commerce and on physical points-of-sale. 

Just in recent months, more than a dozen notable merchant organizations have been publicly outed in the press for having their stores fall victim to such attacks. Brentwood, Tenn.-based convenience store chain Mapco Express announced that payments information at all 377 of its stores may have been compromised when it sustained a malware intrusion earlier this year. In March, Schnuck Markets began investigating a possible compromise of its systems due to “malicious computer code,” which had captured credit and debit card information from the St. Louis-based grocery chain's customers. 

A month earlier, the Chandler, Ariz.-based supermarket chain Bashas' announced that all 130 of its Arizona locations were potentially affected by malware that allowed attackers to access customer information. In January, Zaxby's, an Athens, Ga.-based restaurant franchise chain, went public with news that malware had breached its systems at more than 100 locations. Similarly, more than 150 stores in the Milford, Conn.-based Subway fast food chain fell prey to thousands of cases of information theft by malware between 2009 and 2011. Sixty-three stores in the New York-based Barnes & Noble Booksellers chain were affected by a breach of its systems, the retailer confirmed in October 2012. And card information was also stolen through skimming devices placed at Michaels Stores, the Irving, Texas-based craft chain, in which more than 94,000 debit and credit cards were affected. 

Federal regulators are beginning to crack down on companies that they believe are not doing enough to protect their information against such malfeasance. Last year, the Federal Trade Commission sued Wyndham Worldwide, the Parsippany-Troy Hills, N.J.-based holding company for Wyndham Hotels & Resorts and other lodging brands, for alleged lax computer security that it says allowed hundreds of thousands of payment records to be stolen by hackers.