User Name: Password:
Credit Card
Credit Card

Card Data Breaches

Visa on Target Settlement: No One Is a Winner

August, 2015

The Credit Union Times notes Target agreed to pay issuers an amount over and above what they may already have coming from Visa for costs related to the retailer’s huge 2013 data breach. However, some close to the deal aren’t calling that a win. The offer essentially supplemented Visa’s Global Compromise Account Recovery program, or GCAR, which partially reimburses issuers for fraud and incremental operating expenses associated with breaches. However, the program didn’t cover compromised accounts that had debit transactions routed over non-Visa networks such as STAR, PULSE or NYCE. According to a recording and transcript CU Times obtained of a call between Visa and card issuers, Target offered $2.50 for each of those eligible accounts — if issuers agreed to release the retailer and its financial partners from further legal claims related to the 2013 breach. According to last week’s call, issuers that don’t want to take Target’s offer, dubbed the Alternative Recovery Offer, will still get the full amount they’re eligible for under the GCAR program. But they only have until Sept. 4 if they want the extra money and are willing to forgo legal action.

Payment Card Info of 93,000 Web.com Customers Stolen

August, 2015

Help Net Security reports the name, address, and credit card information of approximately 93,000 customers of Web.com, a popular US-based provider of Internet services to small businesses, has been compromised due to a breach of one of the company’s computer systems. Social security numbers and card validation codes were not compromised, and only the credit card information on file to pay for Web.com services has been affected. According to the FAQ document published on Tuesday, the attack was detected on August 13, 2015. The company doesn’t say how long the unknown perpetrators had access to the system, but says that the unauthorized activity was uncovered “quickly.”

.

Court Doc Claims Target Delayed Breach Alerts

August, 2015

The Credit Union Times reports a Minnesota judge has ordered the unsealing a 55-page document alleging that in the months leading up to Target’s massive data breach in late 2013, the retailer repeatedly missed warnings about malware intrusions, kept unencrypted payment card information on its servers and postponed taking action on breach alerts in order to avoid interrupting Cyber Monday. The document contains allegations that the retailer made three decisions that allowed the breach, which compromised tens of millions of credit and debit cards, to occur and greatly increased its severity. First, it claimed, in October 2013, Target disabled and removed key security features by Symantec, an anti-virus provider, and kept them disabled and removed until after Black Friday. Second, Target installed a FireEye cybersecurity application but didn’t implement its malware prevention features, the document alleged. Third, the retailer allegedly didn’t fully integrate the application into its alert generating system, causing a Dec. 2, 2013, alert about malware associated with the breach to go unheeded, the document alleged.

Target Breach: MasterCard Weighs New Settlement

August, 2015

Bank Info Security notes Target’s Aug. 17 settlement with Visa to reimburse card issuers up to a reported $67 million for expenses related to the retailer’s 2013 data breach may pave the way for a similar revised settlement with MasterCard. And it could eventually derail banks’ pending lawsuit against the retail giant. In May, banks and credit unions rejected MasterCard’s proposed $19 million settlement with Target on the grounds that the compensation for breach-related expenses, including card reissuance, was inadequate. The card issuers chose, instead, to continue to push for more money through their class action lawsuit. But now that Visa’s leading issuers impacted by Target’s breach have accepted Visa’s settlement deal, MasterCard says it, too, is wrapping up negotiations with the retailer for a revised settlement to present to its issuers.

Neiman Marcus Lawsuit: Game On, Again

August, 2015

Bank Info Security reports luxury retailer Neiman Marcus Group LLC has suffered a setback in its attempt to win dismissal of a class-action lawsuit related to its 2013 data breach when a federal appeals court reversed a lower-court decision to throw out the case. But legal experts say that while the ruling is significant, it likely will not dramatically reshape the data-breach litigation landscape. In September 2014, Judge James B. Zagel had dismissed the lawsuit on the grounds that the plaintiffs had failed to prove harm, under what’s known as Article III standing. But in a July 20 opinion, three judges for the U.S. Court of Appeals For the Seventh Circuit – Diane P. Wood, Michael S. Kanne and John Daniel Tinder – wrote that “the district court erred,” and reversed Zagel’s decision. In a notification, the retailer reported that 350,000 credit and debit cards appeared to have been exposed to attackers wielding point-of-sale malware. But in his decision to dismiss the lawsuit, Judge Zagel had noted that only about 9,200 of the 350,000 exposed cards were subsequently used fraudulently, and that none of the plaintiffs had alleged that they had failed to be reimbursed by card issuers for fraudulent charges.

Michael’s Breach: What We’ve Learned

August, 2015

Data Breach Today notes that the news that charges were filed last week against two California residents for their alleged roles in the 2011 Michaels crafts stores breach is a reminder of how much hackers have improved their techniques in just four years. Today, payments breaches have become so commonplace, we forget that there used to be a time when point-of-sale attacks and card compromises surprised us. New Jersey U.S. Attorney Paul Fishman last week announced Angulo and Banuelos had been indicted on charges of conspiracy to commit bank fraud and aggravated identity theft for their alleged connection to the Michaels POS terminal tampering scheme that involved the compromise of some 94,000 credit and debit cards between February and April 2011. Angulo was arrested; Banuelos remains at large. If found guilty, both face a maximum prison sentence of 30 years and a $1 million fine. In July 2012, Eduard Arakelyan and Arman Vardanyan, two others charged for connection to the Michaels breach, pleaded guilty and were sentenced to 36 months in prison. Looking back, it’s amazing that this type of bold, risky scheme was attempted; the hands-on POS attack involved physically replacing devices at cashiers’ checkout lanes at 80 Michaels locations in 19 states.

HanesBrands Reports Data Breach

August, 2015

The Credit Union Times reports Winston-Salem, N.C.-based HanesBrands Inc. reported that a hacker compromised its customer order database in June 2015. The unidentified intruder gained access to information for approximately 900,000 online and telephone customers. HanesBrands president and general manager David Thompson contacted the company’s entire online customer base via email to notify them of the breach, but the company did not release a public statement. According to the Winston-Salem Journal, HanesBrands said the breach occurred during the last week of June. The report said the hacker gained access through the company’s website by posing as a “guest” customer who was checking an order. Affected customers bought items online or by telephone and used the “guest” option. The breach appears to have exposed personal information including customer names, addresses, phone numbers and the last four digits of the credit cards tied to the customers’ accounts.

Why Russian Cybercrime Markets Are Thriving

August, 2015

Data Breach Today reports the prices for stolen payment card data and other cybercrime products and services on Russian underground forums continue to fall. But such marketplaces are thriving more than ever, in part, because they help attackers quickly and affordably organize their efforts. Those findings are included in a new report, Russian Underground 2.0, written by Max Goncharov, a threat researcher at the security firm Trend Micro. He notes that while the price of many cybercrime goods and services continues to fall – due to a glut of what is on offer – the lower prices, as well as increased automation and reliability, make it easier than ever for fraudsters to profit from cybercrime.

Possible Breach Results in Shutdown of Many Retail Photo Services

July, 2015

ThreatPost reports a potential data breach at a third-party provider has resulted in the shut down of retail photo-printing services at a number of chains, including CVS, Costco, Rite Aid, and several others. The breach reportedly hit PNI Digital Media, a Canadian company that provides the online photo platform for many retailers. The company was acquired by Staples in 2014. The first signs of the breach began appearing in the last couple of weeks, as CVS closed its online photo printing site and Walmart did the same for its stores in Canada.

Man Gets 50 Months in Prison for Hacking U.S.-based Financial Institutions

July, 2015

Help Net Security reports Qendrim Dobruna, a member of an international cybercrime syndicate, was sentenced to 50 months in imprison and required to pay $14 million in restitution for his role in hacking into the computer systems of U.S.-based financial institutions, stealing prepaid debit card data, and eliminating withdrawal limits. The stolen card data was then disseminated worldwide and used in making fraudulent ATM withdrawals in excess of $14 million in a single weekend. The cybercrime organization cashed in by distributing the hacked prepaid debit card numbers to trusted associates around the world, who then immediately withdraw cash from ATMs across the globe.

Article archive by topic

Card Data Breaches

Card Fraud

Identity Theft

Network Security

Skimming

Smart Cards