User Name: Password:
Credit Card
Credit Card

Card Data Breaches

Retailer Michaels Stores Confirms 3 Million Payment Card Data Breach

April, 2014

Reuters reports Michaels Stores Inc, the biggest U.S. arts and crafts retailer, recently confirmed that there was a security breach at certain systems that process payment cards at its U.S. stores and that of its unit, Aaron Brothers. The company said in January that it was working with federal law enforcement officials to investigate a possible data breach. Michaels Stores said the breach, which took place between May 8, 2013 and January 27, 2014, may have affected about 2.6 million cards, or about 7 percent of payment cards used at its stores during the period. The company said about 400,000 cards were potentially impacted at its Aaron Brothers unit by the breach, which occurred between June 26, 2013 and February 27, 2014. There was no evidence that data such as customers’ name or personal identification number were at risk, Michaels Stores said in a statement. This is the second known data breach since 2011 at Michaels Stores.

Breach Affects Government Contractors

April, 2014

Data Breach Today reports Enterprise solutions provider Deltek is notifying 80,000 customers following a compromise of its GovWin IQ program that exposed personal information, including credit card data. Deltek, headquartered in Herndon, Va., is a global provider of enterprise software and information solutions for professional services firms and government contractors. GovWin IQ is a market intelligence database that helps companies find and analyze government contracting opportunities. Deltek says an unauthorized outsider compromised the login and password information for approximately 80,000 individuals, although it’s unclear how the breach was orchestrated. Around 25,000 of those individuals had their credit card information potentially compromised.

 

Three New Details from Target’s Credit Card Breach

April, 2014

Businessweek reports Target’s chief financial officer, John Mulligan, appearing before the Senate Commerce Committee recenty, provided few groundbreaking revelations about the data breach that has affected tens of millions of Americans, citing the ongoing nature of its investigation. But Mulligan’s measured testimony helps illuminate three details about the hack that pilfered credit card data and personal records from the retailer’s computer systems last November and December:

1. The amount of fraud on compromised cards has been less than expected so far.
2. The number of affected customers is likely to be no more than 98 million.
3. The company says it is investigating whether it could have prevented damage if it had responded differently.

Senator Calls for ‘Clarification’ on Where Data Breach Risk Falls

April, 2014

CUNA News Now reports Sen. Claire McCaskill (D-Mo.) said at a hearing on the Target data breach Wednesday, that there just might be a lot of public confusion about where “losses fall and where costs are absorbed” in such breaches. McCaskill, a member of the Senate Commerce, Science & Transportation Committee that conducted the hearing, noted that companies collecting consumers’ personal information are not held financially responsible for the costs that occur when the data is not secure. “I don’t think people understand … a lot of the costs associated with this breach–in fact the majority–fall on credit unions and local banks instead of Target,” McCaskill highlighted. She noted, “Interchange fees were $19 billion before the Durbin amendment and now they are less than $10 billion.” The Durbin Amendment refers to the last-minute addition to the Dodd-Frank Act that capped the fees debit card issuers are allowed to charge merchants for the merchants’ customer’s use of debit cards. She continued, “So retailers got almost $10 billion extra as a result of those prices going down. I’m not saying that’s good or bad, but I’m trying to say it’s important the risk be borne by those who must engage in the activity to protect.”

Why So Many Retail Stores Get Hacked for Credit Card Data

March, 2014

Bloomberg Businessweek notes when a big retailer gets hacked, it’s often quick to note that it has complied with cybersecurity rules set by the credit card industry. MasterCard, Visa, and other card companies require retailers to pass an audit sanctioned by the Payment Card Industry (PCI) Security Standards Council, an industry group. It turns out the accreditation by PCI doesn’t always offer much protection against fraud. Neiman Marcus noted it had met PCI standards when it said in January that customer cards may have been compromised from July to October. Target, which suffered a record-breaking hack in November, had been certified as compliant two months earlier. Grocery chain Hannaford Brothers and payment processors WorldPay and Heartland Payment Systems were also hacked shortly after receiving passing marks from PCI assessors, who judge a company based on six main groups of security measures, broken into smaller items such as fire walls and antivirus software. “People should not think an audit is some kind of insurance policy,” says Ellen Richey, Visa’s chief legal officer and chief enterprise risk officer. “It requires exertion of effort every day of the year.” She says companies deemed PCI-compliant before a major breach have later been found to be out of compliance at the time of the attack.

Target, PCI Auditor Trustwave Sued By Banks

March, 2014

Dark Reading reports the security firm Trustwave and the discount retailer Target have both been named in a lawsuit filed this week by Trustmark National Bank and Green Bank. The banks are seeking class-action status for the lawsuit, as well as $5 million in damages to cover the cost of cancelling and reissuing some of their MasterCard-branded cards, which were among the 40 million credit and debit cards stolen from Target. The damages would also cover the “absorption of fraudulent charges made on the compromised payment cards, business destruction, lost profits, and/or lost business opportunities,” according to the complaint. The complaint also accuses Target of failing to “safeguard and protect PII [personally identifying information] and sensitive payment card information,” in part by not being compliant with Payment Card Industry Data Security Standards (PCI DSS). The complaint accuses Trustwave of failing to provide the level of security that it promised — and failing to meet industry standards, since the data breach continued for nearly three weeks on Trustwave’s watch before it was detected by third parties and reported to Target.

Sally Beauty: Breach Is Bigger

March, 2014

Data Breach Today reports cosmetics supplies retailer Sally Beauty now says more than 25,000 records containing card data may have been illegally accessed and removed from its systems. In a March 28 statement, the retailer does not offer a specific estimate, but says the number of potentially compromised records has grown as a result of its ongoing breach investigation. The compromised records contain card-present (track 2) payment card data, according to Sally Beauty. The company is offering customers who may have been affected by the incident one year of credit monitoring and identity theft protection services. Sally Beauty says it will continue to provide updates regarding the status of the investigation and the steps it will be taking to assist customers affected by the incident. Earlier this month, the company said fewer than 25,000 records were potentially compromised following unauthorized intrusion into the company’s systems.

Sources: Credit Card Breach at California DMV

March, 2014

Krebs on Security reports the California Department of Motor Vehicles appears to have suffered a wide-ranging credit card data breach involving online payments for DMV-related services. This is according to banks in California and elsewhere that received alerts this week about compromised cards that had been previously used online at the California DMV. The alert, sent privately by MasterCard to financial institutions this week, did not name the breached entity but said the organization in question experienced a “card-not-present” breach — industry speak for transactions conducted online. The alert further stated that the date range of the potentially compromised transactions extended from Aug. 2, 2013 to Jan. 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards. Five different financial institutions contacted by this publication — including two mid-sized banks in California — confirmed receipt of the MasterCard notice, and said that all of the cards MasterCard alerted them about as compromised had been used for charges bearing the notation “STATE OF CALIF DMV INT.”

Sally Beauty: Card Data Was Compromised

March, 2014

Data Breach Today reports cosmetics supplies retailer Sally Beauty Supply now acknowledges that fewer than 25,000 records containing payment card data were illegally accessed and “may have been removed” as a result of an unauthorized intrusion into its network. On March 5, the company had said that, based on an investigation of the security incident, “we have no reason to believe there has been any loss of credit card or consumer data.” But four card issuers told Information Security Media Group they had seen evidence of fraud tied to cards that were used at Sally Beauty, as well as other retailers. The company, which hired Verizon to investigate the security incident, says in a March 17 statement that it cannot speculate on the scope or nature of the breach because the forensics investigation is still ongoing. Sally Beauty Supply operates approximately 500 stores worldwide and had $3.6 billion in sales in 2013.

Did Target Ignore Security Warning?

March, 2014

Bank Info Security reports Target Corp. is reacting to allegations that it failed to heed an alert warning that malware was detected on the retailer’s systems shortly before its massive data breach that compromised 40 million credit and debit cards as well as personal information about some 70 million customers. Bloomberg Businessweek reported on the apparent early warning of the malware attack, citing 10 former Target employees familiar with the company’s data security operation, as well as eight other individuals with specific knowledge of the hack and its aftermath, including security researchers and law enforcement officials. Businessweek’s report says that Target last year installed a malware detection tool from FireEye, and that a team of security specialists in Bangalore monitored Target’s computers around the clock. According to the report, hackers had uploaded exfiltration malware last November. The FireEye tool detected the malware, and the team in Bangalore received an alert, the report states. That team then alerted Target’s Minneapolis corporate headquarters, but the alert wasn’t acted upon, the report says.

 

Article archive by topic

Card Data Breaches

Card Fraud

Identity Theft

Network Security

Skimming

Smart Cards