Iconic department store company Macy’s Inc. and New York-based restaurant group B&B Hospitality Group are the latest in a long list of companies to have customer data hacked and stolen.

With Macy’s, the company said that an unknown third party gained access to accounts on Macys.com and Bloomingdales.com using valid usernames and passwords between April 26 and June 12. While not giving specific numbers, it said only “a small number of our customers” were affected by the breach.

According to reports, Macy’s first detected suspicious login activities on June 11 before shutting access to affected accounts June 12. The company said in a statement that it “investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures.” Affected customers have been contacted and also offered consumer protection services at no cost.

The hack involved the use of employee login details. Ben Johnson, co-founder and chief technology officer of Obsidian Security Inc., told SiliconANGLE that two recent breaches, at Timehop and Macy’s, highlight the significant value of stolen credentials. “In both breaches, legitimate credentials were used to access and exfiltrate enterprise data,” he said. “We must continue to do better on defense, and that starts with proper access controls and protection of our enterprise identities. While often technical vulnerabilities cause the biggest headlines, the truth is that hackers often don’t break in, they log in.”

The hack of the B&B Hospitality Group, which operates nine restaurants in the New York City area, including flagship Babbo Ristorante e Enoteca in Greenwich Village, was a classic point-of-sale hack, with malware introduced to steal customer data.

The breach occurred between March 1, 2017 and May 8 this year at Del Posto, Babbo, Casa Mono, Becco, Otto Enoteca e Pizzeria, Esca, Lupa, Tarry and Felidia. It included the theft of credit card numbers, names, expiration dates, internal verification codes and other payment data.

“B&BHG has removed the malware from all of the restaurants and is taking steps to enhance measures for securing payment card data,” the company said in a statement. “In addition, B&BHG is working closely with the payment card networks regarding this matter so that the banks that issue payment cards can be made aware.”

Fred Kneip, chief executive officer of CyberGRX Inc., said the POS hacking of B&B highlights the need for organizations to plan for security lapses from third parties with access to their network.

“As with so many recent breaches in the food service industry, the B&B Hospitality Group breach was caused by a lack of visibility into poor security controls for a point-of-sale vendor,” Kneip explained. “All third parties in an organization’s digital ecosystem need to be continually assessed for the level of risk they introduce, but this is especially true for tier-one partners like a point-of-sale solution provider with access to payment data.”

Photo: Martin Dürrschnabel/Wikimedia Commons