User Name: Password:
Credit Card
Credit Card

Card Data Breaches

Target Request to Halt Discovery Denied

July, 2014

Data Breach Today reports a federal judge has denied Target’s motion to halt the discovery process in the class action lawsuits filed against the retailer in the wake of its December 2013 data breach. “The court has determined that discovery in this complex case should proceed and has set an ambitious schedule for that discovery,” says Paul Magnuson, U.S. district court judge in Minnesota, in a July 24 ruling. Target had recently requested that the court halt the discovery process until the court can consider its forthcoming motions to dismiss most of the suits. But the retailer has yet to file the motions to dismiss, Magnuson notes in his ruling. Financial institution and consumer plaintiffs in class action lawsuits filed against Target followed up with a July 18 memorandum arguing the discovery process should not be delayed.

Hotel’s Payment System Breached

July, 2014

Data Breach Today reports for six months, cyber-attackers breached the credit card payment system for the Houstonian Hotel, Club and Spa, accessing account information of an undisclosed number of customers. On June 10, the U.S. Secret Service notified the hotel regarding a potential breach in the organization’s payment processing systems. The Houstonian then took mitigation steps, according to a statement provided to Information Security Media Group. A forensics team determined that an intruder illegally penetrated the hotel’s internal computer systems between Dec. 28, 2013, and June 20, 2014. Credit card and payment information was compromised during that time, the hotel says. State and federal law enforcement investigations into the incident are continuing. The hotel is offering affected individuals one year of free credit monitoring services.

Brazilian Baddies Bank Boleto Billions

July, 2014

The Register reports Brazilian bad guys appear to have made an astonishing $3.75 billion by scraping a ton of tiny transactions from a popular payment system used by locals, RSA researcher Eli Marcus says. The carders operating a single fraud ring may have netted enough over the last two years to foot 80 percent of Brazil’s $4.7 billion World Cup stadium bill. Marcus pointed out the true profit from the 495,753 stolen transactions was unknown and the billions were potential earnings from a malware-based campaign that scraped financial details. The gang controlled at least 192,227 bot-infected computers used for Bolware banking and had stolen some 83,506 email user credentials stored within the botnet command and control server.

P.F. Chang’s Issues Breach Update

July, 2014

Data Breach Today reports restaurant chain P.F. Chang’s China Bistro has issued an update to customers concerning its data breach investigation. It says the hack attack was the work of a “highly sophisticated” gang, and that digital forensic experts continue to investigate the full extent of the breach, and put related information security improvements in place. But the company, which is based in Scottsdale, Ariz., stopped short of detailing who may have launched the attacks, how they gained access to P.F. Chang’s systems or what type of point-of-sale malware or other attack code they may have used. P.F. Chang’s data breach investigation has also been aimed at hardening the restaurant’s POS systems against any repeat or copycat attacks. While that process offers security — it’s also slow, not automated and thus a temporary fix. Last month, the manager of one P.F. Chang’s restaurant in New Jersey said the switch to manual card imprinting and carbon credit-card slips had necessitated dedicating a staff member to process all of the slips using the dial-up reader and PSTN line, and said that even with entering receipts nonstop, the restaurant couldn’t keep up.

Insurers Petition, Retail Group Complaint, Raise Specter of Who Pays for Breach

June, 2014

SC Magazine notes with breaches on the rise and seemingly no end to the damage that a breach can have on an organization, the issue of who pays has heated up as an insurer petitions a court to find it’s not required to defend Michaels against a bevy of class action lawsuits resulting from a breach and a retail group challenges a credit union’s call to shift greater liability for breaches to retailers. Safety National, which issued a commercial general liability insurance policy to Michaels, told a U.S. District Court in Texas Wednesday that it shouldn’t be required to defend Michaels in the breach cases because those lawsuits don’t seek payout for bodily injury or property damages that the policy covers. The issue of who pays and how much will grow increasingly important as companies struggle to mitigate the financial damage done by a breach. In the past, financial institutions have routinely eaten the costs of fraudulent charges resulting from a breach, but the wind is beginning to shift there, too, as a groundswell of support has grown in favor of putting the onus on retailers.

Why Global Card Fraud Doesn’t Decline

June, 2014

Bank Info Security reports consumers in the United Kingdom experience the highest levels of payment card fraud in Europe. Meanwhile, the world’s fourth-highest card fraud levels are in the United States. Those findings come from a new study that found markedly lower levels of fraud in countries that have adopted card security microchips compliant with the EMV – for Europay, MasterCard and Visa – standard. The study, from research firm Aite Group, is based on a survey conducted by electronic payments provider ACI Worldwide of approximately 300 consumers in 20 different countries who were asked to self-report any card-related fraud they’ve experienced in the past five years. The new study doesn’t make clear why the United Kingdom has more card-related fraud than any other nation in Europe. But the U.K. accounts for more than 30 percent of all card spending in the European Union. Fraud rates don’t appear to have increased in the past two years. That means as fraud declines in one country, criminals are focusing elsewhere. Likewise, when countries introduce new security countermeasures, fraudsters often alter their tactics to focus on easier-to-exploit types of payments.

American Express Customers Receiving New Breach Notifications

June, 2014

CSO Online reports customers of American Express are starting to get a new round of breach notification letters. This time, the letters (mostly identical in wording) are due to two separate incidents, but the full impact is unclear – as the exact number of customers set to receive these notices isn’t known. American Express has now had to issue three different notification letters this month, in order to address three different data breaches. In one letter, the customer is warned that their American Express account number, name, and other card information, such as expiration date, were exposed after someone accessed a merchant’s systems without authorization. In another notification letter going out to American Express customers concerns an incident at Createthe Group. It’s worded exactly the same as the other letter, including the types of information compromised. Createthe Group is an upscale agency that represents top-tier luxury, fashion and retail clients.

Malware Targets Retailers Using Cloud-Based PoS Services

June, 2014

Info Security Magazine reports large point-of-sale-related breaches continue to dominate security press headlines, but new dangers threaten to exacerbate the situation by compromising the small to medium-sized bracket. A fresh cloud-based point-of-sale (PoS) malware – dubbed POSCloud – has been spotted carrying out targeted attacks on software deployed by grocery stores, retailers and other small businesses using web browsers like Internet Explorer, Safari, or Google Chrome. The new malware family was identified by IntelCrawler, a Los Angeles-based cyber-threat intelligence firm, which noted that front-office systems support integration options with credit card readers, barcode scanners, cash drawers and receipt printers. Meanwhile, back-office systems utilize cloud-based PoS services. It means that merchants are able to store data and reporting in public infrastructure, which is accessible remotely via PCs, as well as through mobile devices.

P.F. Chang’s Breach: Predates Target?

June, 2014

Bank Info Security reports a handful of U.S. card issuers on June 18 confirmed Visa had issued alerts that suggested fallout from the P.F. Chang’s China Bistro breach could be more far-reaching than initially suspected. Now it’s believed that the P.F. Chang’s breach goes back to September 2013, predating the breach that impacted big-box retailer Target Corp. in November and came on the heels of the breach that compromised Neiman Marcus in July. But card issuers say they have yet to detect fraud linked to debit and credit accounts possibly compromised by P.F. Chang’s. In fact, one payments fraud expert, who asked not to be named, says issuers are confused about exactly how big the P.F. Chang’s compromise could ultimately be.

P.F. Chang’s Confirms Credit and Debit Card Breach

June, 2014

The Wall Street Journal reports P.F. Chang’s China Bistro Inc. has confirmed a data breach involving credit and debit cards used at its restaurants and said it has launched an investigation with the United States Secret Service and a team of third-party forensics experts. The scope of the incident is still unknown, but cybersecurity blogger Brian Krebs earlier this week reported that data from thousands of stolen cards had been used at P.F. Chang’s locations between the beginning of March and May 19. Hackers can get into cash registers at retail locations and plant software that records data from the magnetic stripe of the backs of credit cards. Data from those magnetic stripes can then be re-encoded onto new plastic and used by thieves to buy goods. The closely-held chain of casual and fast-casual Chinese restaurants has moved to a manual credit-card imprinting system for all of its P.F. Chang’s restaurants located in the continental U.S.

Article archive by topic

Card Data Breaches

Card Fraud

Identity Theft

Network Security

Skimming

Smart Cards