User Name: Password:
Credit Card
Credit Card

Card Data Breaches

Travel Site Breach Impacts 1.4 Million

November, 2014

Bank Info Security reports travel-booking website Viator is notifying approximately 1.4 million customers about a data breach that could potentially affect payment card data, along with other personal information, used to make bookings through the company’s websites and mobile offerings. In August, Viator officially became part of the TripAdvisor family of companies after an acquisition originally announced in July. Viator has determined that approximately 880,000 of its customers may have had their payment card information – including encrypted credit or debit card number, card expiration date, name, billing address and e-mail address – compromised. In addition, those customers may have had their account information, such as encrypted password and Viator “nickname,” exposed.

Home Depot Breach Cost CUs Nearly Double Those from Target

November, 2014

The data security breach at Home Depot stores in September cost credit unions nearly $60 million to reissue cards, deal with fraud and cover other costs, according to the results of a new survey of credit unions, recently released by the Credit Union National Association. The CUNA survey, which asked credit unions to report the effects of the Home Depot breach, found that 7.2 million credit union debit and credit cards were affected. The survey shows that the cost per card reissued by credit unions was $8.02, which included costs for reissuing, as well as fraud and other costs such as additional staffing, member notification, account monitoring and others.

Banks: Credit Card Breach at Staples Stores

October, 2014

Krebs on Security reports multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement. According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Backoff PoS Malware Boomed in Q3

October, 2014

Information Week’s Dark Reading notes that, try as they might, retailers don’t seem to be able to get the Backoff malware to actually back off. According to a new report from the security firm Damballa, detections of the notorious point-of-sale (PoS) malware jumped 57% from August to September. During the month of September alone, Backoff infections increased 27%. This year, the Secret Service estimated that as many as 1,000 US businesses may be infected by the malware. That list of impacted businesses features some big names, including United Parcel Service (UPS) and Dairy Queen. According to Damballa, the increase demonstrates that the malware is bypassing network prevention controls, and it underscores the importance of ensuring that PoS traffic is visible. In many cases, the PoS systems are free-standing from the corporate network, according Damballa CTO Brian Foster. He notes they connect to local networks, which have limited security. Without this visibility, it’s impossible to discover the device is communicating with criminal command and control.

Alleged Russian Hacker Faces 40 Charges

October, 2014

Bank Info Security reports alleged Russian hacker Roman Valerevich Seleznev, arrested earlier this year, is facing 11 additional charges tied to the theft of credit card information for later sale on “carding” websites. As set forth in the indictment, the government expects to prove at trial that Seleznev was a leader in the marketplace for stolen credit card numbers, and even created a website offering a tutorial on how to use stolen credit card numbers to commit crime, according to acting U.S. Attorney Annette Hayes. The indictment alleges that Seleznev, also known by the online handle “Track2,” was involved in the theft and sale of more than 2 million credit card numbers. He is scheduled for trial on Nov. 3 and will be arraigned on the new charges sometime next week.

Russian Hackers Made $2.5B Over the Last 12 Months

October, 2014

Dark Reading reports the Russian hacking industry brought in $2.5 billion between mid 2013 and mid 2014, thanks in large part to the Target breach, according to a report released today by Group-IB. Other bad news: ATM hacks are on the rise. Spamming still pays well. New criminal groups are hitting the scene, specializing in mobile threats. And POS attacks will only get worse, because they can deliver data that’s 10 times more profitable than your average plaintext credit card number. Also, while financial fraud is still a big earner — accounting for $426 million — it’s being surpassed by the simple buying and selling of credit card data. The carding business brought in $680 million. All of this is evidence of the growing sophistication of the Russian cybercrime industry.

TD Bank Agrees to Breach Settlement

October, 2014

Data Breach Today reports TD Bank has agreed to a multi-state settlement in the wake of a 2012 data breach involving the loss of two backup tapes that may have exposed personally identifiable information about 260,000 of the bank’s 8 million U.S. customers. The settlement, announced Oct. 15 by New York Attorney General Eric T. Schneiderman, requires TD Bank to pay an $850,000 fine and reform its practices to help prevent breaches. An official close to the investigation tells Information Security Media Group that the fine is tied to the bank’s security habits and untimely notification of the breach. Nine attorneys general worked for a year and a half to investigate the breach and the bank’s policies and procedures, Schneiderman says, involving locations in Connecticut, Florida, Maine, Maryland, New Jersey, North Carolina, Pennsylvania, Vermont and New York.

Kmart Says Payment Cards Breached

October, 2014

Bank Info Security reports retailer Kmart has confirmed a breach that started in early September involving a “new form” of malware that infected the company’s payment card systems. Impacted information includes debit and credit card numbers. Based on the forensic investigation to date, no personal information, debit card PINs, e-mail addresses or Social Security numbers were obtained by the hackers. Kmart also says there’s no evidence that its kmart.com customers were impacted by the breach. Kmart did not immediately disclose how many cards were impacted in the breach. The malware used in the attack was undetectable by current anti-virus systems, the company says. Members and customers who shopped with a credit or debit card in Kmart stores during the month of September through Oct. 9 will be offered free credit monitoring protection, the company says. Kmart is working closely with federal law enforcement authorities, its banking partners, and security experts in its ongoing investigation. In response to a writer’s query, a Kmart spokesperson told ISMG it is not disclosing any details, at this time, about the quantity of payment cards that may have been compromised.

Dairy Queen Confirms Breach, Backoff Malware Intrusion at 395 U.S. Stores

October, 2014

SC Magazine reports a data breach at International Dairy Queen, Inc. has resulted in systems at 395 of its more than 4,500 U.S. stores being infected with Backoff malware that has plagued other retailers nationwide and exposed customer payment information. Dairy Queen had already been under scrutiny for a possible malware issue that could have impacted payment cards that were used in some U.S. locations. After what it called “an extensive investigation” by outside forensic experts, the company determined, in what is becoming a familiar refrain, attackers compromised account credentials of a third-party vendor to gain access to the systems. In a press release detailing the investigation’s findings, Dairy Queen included a list of the locations hit as well as the time periods that Backoff was present on their systems, which varied by location. Those systems housed customer payment card information, including names, account numbers and expiration dates. The company said it has no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, was compromised as a result of the malware infection.

Breach Fatigue? Most Consumers Unaware of eBay, Home Depot Incidents

October, 2014

Infosecurity Magazine notes 2014 has been dubbed the year of the data breach, and that appears to be translating into consumer fatigue and tune-out. The majority of consumers (77%) have already forgotten or are unaware of one of the largest data breaches in history: eBay. In fact, only the Target and Home Depot data breaches scored higher than 23% in public awareness in a recent survey from Software Advice. This suggests that consumers are fatigued and are starting to tune out headline-worthy breaches. “The results of our poll suggest that the public may already have reached ‘peak breach,’ responding to most of these stories with a shrug,” said Daniel Humphries, market research associate at Software Advice. “A breach has to be truly massive, and focus on credit cards over other types of data loss, for it to attain any serious level of public awareness. And even then, the Home Depot breach seems to be having less of an impact than the Target breach did—so even the mega-breaches may be having less impact.” On one hand, this is good news for companies, he pointed out. Security breaches need not have any long-term effect on their fortunes; rather, they act as speed bumps. And yet, public anger about data breaches could act as a strong incentive for firms to improve the quality of their security; in its absence, that incentive may be lacking.

Article archive by topic

Card Data Breaches

Card Fraud

Identity Theft

Network Security

Skimming

Smart Cards