User Name: Password:
Credit Card
Credit Card

Card Data Breaches

Will MasterCard, Target Renegotiate?

May, 2015

Bank Info Security reports MasterCard’s $19 million breach-expense settlement with Target on behalf of its card issuers has been derailed after an insufficient number of banking institutions chose to accept the terms of the deal. One payments security expert says MasterCard will likely renegotiate its settlement to avoid lengthy litigation. Meanwhile, an attorney representing banks and credit unions involved in a class-action lawsuit against Target, which seeks to recoup breach-related expenses, says the suit will push forward. John Buzzard, who heads FICO’s Card Alert Service, says MasterCard is likely to offer a new settlement that better meets the expectations of issuers. Charles Zimmerman, co-lead counsel for the banking institution plaintiffs in the class-action suit against Target, says banks and credit unions agreed the settlement was unfair. They decided they would rather push forward with their class-action suit, rather than agree to a settlement that provides inadequate reimbursement for their substantial breach-related expenses.

Las Vegas’ Hard Rock Casino Hit by Carders

May, 2015

Help Net Security reports Las Vegas’ popular Hard Rock Hotel and Casino has been hit by carders, who took off with names, card numbers, expiration dates, and CVV codes (but not PIN numbers or other information) of customers who used their payment cards at several locations within the property. According to a company statement, the criminal attack was limited to credit or debit card transactions between September 3rd, 2014 and April 2nd, 2015 at restaurant, bar and retail locations at the Hard Rock Hotel Las Vegas property, including the Culinary Dropout Restaurant. The company states they “contained” the attack on April 2, but they don’t say whether they detected the attack themselves or they have been notified of it by banks or payment processors. Law enforcement has been notified about the breach, and a breach notification email has been sent to affected customers (number still unknown).

Visa to Boost Tier Reimbursements for Reissued Cards

May, 2015

The American Bankers Association reports Visa announced on May14, that it will increase the reimbursement levels for all of its card-issuing banks when they reissue cards following a data breach. The move follows aggressive ABA advocacy with Visa to secure higher reimbursements — particularly for community banks, which typically have greater costs than large-volume issuers. Visa will adopt a tiered reimbursement system to replace its current reimbursement level of $2.50 per reissued card. Issuers with less than $500 million in annual Visa purchase volume, which includes most community banks that issue Visa cards, will qualify to receive $6.00 per card. Issuers with $500 million to $10 billion in volume will receive $3.85 per card and the biggest issuers, with more than $10 billion in volume, will receive $2.65 per card. Issuers will also be reimbursed an additional $1.00 for every chip card they reissue. The changes take effect with breaches for which Compromised Account Management System email alerts are sent on or after July 1.

Home Depot Suit Deadline Extended

May, 2015

The Credit Union Times reports a judge in the U.S. District Court for the Northern District of Georgia has pushed the deadline for credit unions to join a class-action suit against Home Depot to May 27, according to CUNA. The change gives credit unions more time to decide if they’ll participate in a lawsuit that is the result of a massive data breach at the retailer in September 2014. The breach occurred when hackers got into the company’s network and deployed malware on the self-checkout systems in order to get card information from shoppers at U.S. and Canadian stores between April 2014 and September 2014, according to Home Depot’s latest 10-K filed with the SEC. More than 50 million email addresses were also taken, according to the company. The breach has cost credit unions nearly $60 million, CUNA said.

Sally Beauty Confirms Second Breach

May, 2015

Data Breach Today reports Sally Beauty Supply now says that it has “sufficient evidence to confirm that an illegal intrusion into our payment card system has indeed occurred.” The news comes 10 days after Sally Beauty announced that it was investigating reports of “unusual” card activity that had been brought to its attention. Now, Sally Beauty recommends that customers who suspect their cards may have been compromised contact their card-issuing banking institutions. In March 2014, Sally Beauty reported that some 25,000 records containing card data had been illegally accessed and possibly removed as a result of an unauthorized intrusion. Some experts now say, however, that it’s unlikely that the 2014 and 2015 breaches are connected, and conclude that it’s more likely that this newest breach is the result of a remote-access attack, like the one that compromised POS vendor Harbortouch Payments in March.

After Target and Home Depot Breaches, Small Lenders Object to Settlements

May, 2015

The Wall Street Journal reports small banks and credit unions are banding together in a bid to recover hundreds of millions of dollars in losses incurred from high-profile data breaches at Target Corp. and Home Depot Inc.  Angry at being squeezed out by bigger banks, the small institutions now are trying to upend a long-standing industry practice in which card networks Visa Inc. and MasterCard Inc. negotiate settlements with breached merchants and then distribute the proceeds to affected financial institutions. The smaller firms say the process favors the big banks, even though the larger institutions can more easily absorb the cost of such incidents, including issuing new cards. The frustration reached a boiling point earlier this month, when the lenders filed a motion objecting to terms of a settlement Target reached with MasterCard that would see the retailer provide $19 million to card issuers to cover breach-related losses.

Credit Card Terminals Have Used Same Password Since 1990s, Claim Researchers

May, 2015

CSO Online notes while retailers battle breaches that have resulted in tens of millions of credit card numbers stolen, word comes from the RSA Conference in San Francisco that a major vendor of payment terminals has been shipping devices for over two decades with the same default password. The vendor wasn’t named by the researchers, David Byrne and Charles Henderson, but they did disclose the password: 166816. A Google search reveals that’s the default password for several models of credit card terminals sold by Verifone, a Silicon Valley-based vendor that says it connects 27 million payment devices and has operations in 150 countries. The researchers said that the password remains in use on 9 out of 10 terminals they see from the vendor, in part because customers mistakenly assume it is unique to them.

New Malware Program Punkey Targets Point-of-Sale Systems

April, 2015

CSO Online notes Point-of-Sale (PoS) terminals have become an attractive target for hackers over the past year, reflected in the increasing number of RAM-scraping programs that steal payment card information from the memory of such systems. Last month security researchers from Cisco Systems issued a warning about a new PoS threat dubbed PoSeidon and security blogger Brian Krebs reported that the program has already infected PoS terminals at restaurants, bars and hotels in the U.S. Security researchers from Trustwave now warn that during a recent investigation with the U.S. Secret Service, they’ve uncovered yet another RAM-scraping PoS threat they’ve named Punkey. This new malicious program, that has at least three variants, is very similar to another family of PoS malware known as NewPosThings. The similarities suggest the two families are based on the same source code, but Punkey has enough differences to make it unique. Punkey has versions for both 32-bit and 64-bit Windows-based PoS terminals and in addition to stealing payment card data while it’s being processed, it also installs a keylogger to capture what employees type on such systems.

Amedisys Notifies Nearly 7,000 Individuals of Potential Breach

April, 2015

SC Magazine reports Louisiana-based home health and hospice care company Amedisys is unable to locate 142 encrypted laptops and computers that were assigned to former team members, and is notifying nearly 7,000 individuals that their personal information could be at risk. Clinician laptop devices included names, Social Security numbers, dates of birth, insurance ID numbers, and other medical information of patients being treated by clinicians assigned to them. Non-clinician devices included a variety of personal health and personally identifiable information. Amedisys devices are protected with 256-bit disk encryption, administrator restrictions, and several other security protections. Former employees no longer authorized to access patient information had access to the encryption key allowing local access to their formerly assigned device, although Amedisys disabled their network password.

Target, MasterCard Settle over Breach

April, 2015

Bank Info Security reports Target has agreed to pay a total of up to $19 million to issuers of MasterCard payment cards over losses and expenses they incurred as a result of the retailer’s massive 2013 breach. The settlement announced April 15 is contingent on issuers of at least 90 percent of the eligible MasterCard accounts accepting their offers by May 20. If sufficient issuers accept the offer, Target says they’ll be paid by the end of June. “This settlement provides our issuers a reasonable resolution of the Target data breach event,” says Eileen Simon, MasterCard chief franchise integrity officer. In a statement, MasterCard says issuers that choose not to accept this offer will have their claims determined by MasterCard internal processes and may receive more or less than the amounts offered in this settlement, depending on various factors. Those include MasterCard’s final determinations of their claims and the outcome of any litigation that Target might file to challenge claim awards to issuers outside of this settlement. Target also is in negotiations with Visa for a breach-related settlement.

Article archive by topic

Card Data Breaches

Card Fraud

Identity Theft

Network Security

Skimming

Smart Cards