User Name: Password:
Credit Card
Credit Card

Card Data Breaches

NPR Report Highlights Merchant Failures on Data Breaches

December, 2014

CUNA reports merchant data security breaches–their effects on consumers and the reactions of retailers–were highlighted on a recent segment of NPR’s “All Things Considered.” Reporter Aarti Shahani followed a security expert who was able to point out how easily a hacker could infiltrate a retailer’s point-of-sale network. EMC’s Davi Ottenheimer noted a card reader–similar to ones he had at home–connected to a tablet left unattended in a high-end retail store. At another large retailer, no one noticed that he was paying more attention to a computer plugged into the network than to the merchandise. The incentives are small for retailers to take on more responsibility. They want to keep information technology budgets down, and they don’t have to pay, even if they are at fault. Financial institutions pick up the bill, Shahani said.

Home Depot Spent $43 million on Data Breach in Just One Quarter

December, 2014

CSO Online reports Home Depot spent $43 million in its third quarter, dealing with the fallout of one of the largest ever data breaches, highlighting the costly nature of security failures. The retailer said in a regulatory filing on Tuesday that it expects $15 million of that cost will be reimbursed by a $100 million network security and privacy liability insurance policy. The $43 million was spent on investigations, providing identity theft protection services to consumers, increased call center staffing and other legal and professional services. Attackers stole 56 million payment card details and collected 53 million email addresses of people who shopped at Home Depot’s stores between April and September in the U.S. and Canada. They gained access to Home Depot’s network by using the login credentials of one of the retailer’s vendors. The retailer warned that it expects “to incur significant legal and other professional services expenses associated with the data breach in future periods.” Home Depot is also facing 44 actions filed in courts in the U.S. and Canada. It expects more claims may be filed on behalf of customers, payment card brands, payment card issuing banks and shareholders.

Retailer Bebe Confirms Card Breach

December, 2014

Data Breach Today reports women’s apparel retailer, Bebe, has confirmed a data breach that may have exposed payment card details for a yet-to-be-revealed number of its customers. The company, which operates 175 retail stores and 35 outlet stores in the U.S., the U.S. Virgin Islands, Puerto Rico and Canada, says in a statement that it “recently detected suspicious activity on computers that operate the payment processing system for its stores.” Once the breach was detected, Bebe immediately engaged a computer security firm to block the attack from continuing, the company reports. Based on its investigation so far, Bebe believes the attack was focused on payment cards swiped in its U.S., Puerto Rico and U.S. Virgin Islands stores Nov. 8-26. Data potentially compromised includes cardholder name, account number, expiration date and verification code. A spokesperson for Bebe said the company is not disclosing the number of cards potentially compromised.

Target Fights to End Bank Suits a Year After Data Breach

November, 2014

Bloomberg reports a Target Corp. lawyer told a judge that the company had no legal obligation to banks that claim to have lost tens of millions of dollars after a hack last year on the retailer’s payment processing systems. Target didn’t have a legal duty to the banks because card payments are processed through third-party intermediaries, Douglas Meal, the retailer’s lawyer, told U.S. District Judge Paul Magnuson in St. Paul, Minnesota. Target isn’t liable to the lenders, he said today in urging the judge to dismiss the case. The banks “are claiming that Target had a duty to protect them from that criminal activity,” Meal said. “The only way that would be true is if there is a special relationship between the parties,” and there is none. In the lawsuit, the banks say they and other credit card issuers lost tens of millions of dollars from having to issue new cards, monitor accounts for fraud and reimburse victimized customers. The banks seek to hold Minneapolis-based Target liable for negligent system security. The lenders, suing on behalf of a proposed group that includes every card-issuing financial institution whose customers made purchases last year, say the company wants to duck blame for failing to safeguard data.

New Variant of Backoff Malware Tougher to Detect

November, 2014

ThreatPost reports a new and more fine-tuned version of the Backoff point of sale malware known as ROM has been spotted in the wild, according to researchers. While the latest iteration is similar to the preceding version, ROM has tweaks that help the malware better evade detection and hinder the analysis process, according to Fortinet. ROM, whose technical detection term is W32/Backoff.B!tr.spy, doesn’t use a version number in the malware body. Also, unlike previous Backoff versions, ROM doesn’t disguise itself as a Java component, but instead, a media player under the name mplaterc.exe. After copying itself to the infected machine it calls on an API, WinExec. The API replaces names with hashed values in order to thwart analysis process. Hong Kei Chan, a junior antivirus analyst with the firm said that like Backoff, ROM can extract Track 1 and Track 2 data from PoS terminals, and that it has a sophisticated approach when it comes to parsing that information.

Travel Site Breach Impacts 1.4 Million

November, 2014

Bank Info Security reports travel-booking website Viator is notifying approximately 1.4 million customers about a data breach that could potentially affect payment card data, along with other personal information, used to make bookings through the company’s websites and mobile offerings. In August, Viator officially became part of the TripAdvisor family of companies after an acquisition originally announced in July. Viator has determined that approximately 880,000 of its customers may have had their payment card information – including encrypted credit or debit card number, card expiration date, name, billing address and e-mail address – compromised. In addition, those customers may have had their account information, such as encrypted password and Viator “nickname,” exposed.

Home Depot Breach Cost CUs Nearly Double Those from Target

November, 2014

The data security breach at Home Depot stores in September cost credit unions nearly $60 million to reissue cards, deal with fraud and cover other costs, according to the results of a new survey of credit unions, recently released by the Credit Union National Association. The CUNA survey, which asked credit unions to report the effects of the Home Depot breach, found that 7.2 million credit union debit and credit cards were affected. The survey shows that the cost per card reissued by credit unions was $8.02, which included costs for reissuing, as well as fraud and other costs such as additional staffing, member notification, account monitoring and others.

Banks: Credit Card Breach at Staples Stores

October, 2014

Krebs on Security reports multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement. According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Backoff PoS Malware Boomed in Q3

October, 2014

Information Week’s Dark Reading notes that, try as they might, retailers don’t seem to be able to get the Backoff malware to actually back off. According to a new report from the security firm Damballa, detections of the notorious point-of-sale (PoS) malware jumped 57% from August to September. During the month of September alone, Backoff infections increased 27%. This year, the Secret Service estimated that as many as 1,000 US businesses may be infected by the malware. That list of impacted businesses features some big names, including United Parcel Service (UPS) and Dairy Queen. According to Damballa, the increase demonstrates that the malware is bypassing network prevention controls, and it underscores the importance of ensuring that PoS traffic is visible. In many cases, the PoS systems are free-standing from the corporate network, according Damballa CTO Brian Foster. He notes they connect to local networks, which have limited security. Without this visibility, it’s impossible to discover the device is communicating with criminal command and control.

Alleged Russian Hacker Faces 40 Charges

October, 2014

Bank Info Security reports alleged Russian hacker Roman Valerevich Seleznev, arrested earlier this year, is facing 11 additional charges tied to the theft of credit card information for later sale on “carding” websites. As set forth in the indictment, the government expects to prove at trial that Seleznev was a leader in the marketplace for stolen credit card numbers, and even created a website offering a tutorial on how to use stolen credit card numbers to commit crime, according to acting U.S. Attorney Annette Hayes. The indictment alleges that Seleznev, also known by the online handle “Track2,” was involved in the theft and sale of more than 2 million credit card numbers. He is scheduled for trial on Nov. 3 and will be arraigned on the new charges sometime next week.

Article archive by topic

Card Data Breaches

Card Fraud

Identity Theft

Network Security

Skimming

Smart Cards