User Name: Password:
Credit Card
Credit Card

Card Data Breaches

Russian Hackers Made $2.5B Over the Last 12 Months

October, 2014

Dark Reading reports the Russian hacking industry brought in $2.5 billion between mid 2013 and mid 2014, thanks in large part to the Target breach, according to a report released today by Group-IB. Other bad news: ATM hacks are on the rise. Spamming still pays well. New criminal groups are hitting the scene, specializing in mobile threats. And POS attacks will only get worse, because they can deliver data that’s 10 times more profitable than your average plaintext credit card number. Also, while financial fraud is still a big earner — accounting for $426 million — it’s being surpassed by the simple buying and selling of credit card data. The carding business brought in $680 million. All of this is evidence of the growing sophistication of the Russian cybercrime industry.

TD Bank Agrees to Breach Settlement

October, 2014

Data Breach Today reports TD Bank has agreed to a multi-state settlement in the wake of a 2012 data breach involving the loss of two backup tapes that may have exposed personally identifiable information about 260,000 of the bank’s 8 million U.S. customers. The settlement, announced Oct. 15 by New York Attorney General Eric T. Schneiderman, requires TD Bank to pay an $850,000 fine and reform its practices to help prevent breaches. An official close to the investigation tells Information Security Media Group that the fine is tied to the bank’s security habits and untimely notification of the breach. Nine attorneys general worked for a year and a half to investigate the breach and the bank’s policies and procedures, Schneiderman says, involving locations in Connecticut, Florida, Maine, Maryland, New Jersey, North Carolina, Pennsylvania, Vermont and New York.

Kmart Says Payment Cards Breached

October, 2014

Bank Info Security reports retailer Kmart has confirmed a breach that started in early September involving a “new form” of malware that infected the company’s payment card systems. Impacted information includes debit and credit card numbers. Based on the forensic investigation to date, no personal information, debit card PINs, e-mail addresses or Social Security numbers were obtained by the hackers. Kmart also says there’s no evidence that its kmart.com customers were impacted by the breach. Kmart did not immediately disclose how many cards were impacted in the breach. The malware used in the attack was undetectable by current anti-virus systems, the company says. Members and customers who shopped with a credit or debit card in Kmart stores during the month of September through Oct. 9 will be offered free credit monitoring protection, the company says. Kmart is working closely with federal law enforcement authorities, its banking partners, and security experts in its ongoing investigation. In response to a writer’s query, a Kmart spokesperson told ISMG it is not disclosing any details, at this time, about the quantity of payment cards that may have been compromised.

Dairy Queen Confirms Breach, Backoff Malware Intrusion at 395 U.S. Stores

October, 2014

SC Magazine reports a data breach at International Dairy Queen, Inc. has resulted in systems at 395 of its more than 4,500 U.S. stores being infected with Backoff malware that has plagued other retailers nationwide and exposed customer payment information. Dairy Queen had already been under scrutiny for a possible malware issue that could have impacted payment cards that were used in some U.S. locations. After what it called “an extensive investigation” by outside forensic experts, the company determined, in what is becoming a familiar refrain, attackers compromised account credentials of a third-party vendor to gain access to the systems. In a press release detailing the investigation’s findings, Dairy Queen included a list of the locations hit as well as the time periods that Backoff was present on their systems, which varied by location. Those systems housed customer payment card information, including names, account numbers and expiration dates. The company said it has no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, was compromised as a result of the malware infection.

Breach Fatigue? Most Consumers Unaware of eBay, Home Depot Incidents

October, 2014

Infosecurity Magazine notes 2014 has been dubbed the year of the data breach, and that appears to be translating into consumer fatigue and tune-out. The majority of consumers (77%) have already forgotten or are unaware of one of the largest data breaches in history: eBay. In fact, only the Target and Home Depot data breaches scored higher than 23% in public awareness in a recent survey from Software Advice. This suggests that consumers are fatigued and are starting to tune out headline-worthy breaches. “The results of our poll suggest that the public may already have reached ‘peak breach,’ responding to most of these stories with a shrug,” said Daniel Humphries, market research associate at Software Advice. “A breach has to be truly massive, and focus on credit cards over other types of data loss, for it to attain any serious level of public awareness. And even then, the Home Depot breach seems to be having less of an impact than the Target breach did—so even the mega-breaches may be having less impact.” On one hand, this is good news for companies, he pointed out. Security breaches need not have any long-term effect on their fortunes; rather, they act as speed bumps. And yet, public anger about data breaches could act as a strong incentive for firms to improve the quality of their security; in its absence, that incentive may be lacking.

CUNA Issues ‘Stop The Data Breaches’ Action Alert, Resources

October, 2014

CUNA announced that it has launched a national action alert on data breaches, as well as an extensive toolkit of resources for credit unions to use in communicating the message “stop the data breaches.” CUNA’s most recent actions on the data breach issue include launching a new informational website, a social media campaign urging improved policy and other outreach efforts to work to stop the data breaches and their harmful effects on credit unions and their members. CUNA President/CEO Jim Nussle said in a letter to credit unions, “Congress must stop the data breaches by mandating consistent data security standards for merchants.” Nussle adds that the CUNA action alert is a unique opportunity to shape the cybersecurity debate going forward. Credit unions are held to strict data standards under the Gramm-Leach-Bliley Act, and CUNA is urging Congress to hold merchants to the same standards. A survey conducted in February by CUNA showed that 74% of respondents favor making merchants bear the costs of fraudulent use and reissuing credit and debit cards.

Clothing Retailer Reports Data Breach

October, 2014

Data Breach Today reports Sheplers, a western-wear retailer based in Frisco, Texas, says the company’s payment systems have been breached by hackers who gained access to some of its customers’ payment card information. The breach potentially impacts customers who used payment cards at Sheplers’ retail locations between June 11 and Sept. 4, the company says. So far, it’s not believed that the breach affected Sheplers’ online web store. In addition, there’s no evidence that debit card PINs were compromised. Impacted information includes names, credit and debit card account numbers and expiration dates, Sheplers says.

216 Jimmy John’s Restaurants Affected in Data Breach

September, 2014

Data Breach Today reports the restaurant chain Jimmy John’s has confirmed a payment card data breach that affected about 216 of its locations in 40 states. Potentially exposed information includes card numbers and, in some cases, the cardholder’s name, verification code and/or the card’s expiration date. Information entered online, such as customer address, e-mail and password, remains secure, the company says. The Champaign, Illinois-based restaurant chain, which has more than 2,000 locations, did not reveal how many cards were potentially impacted. The company says it appears that customers’ payment card data was compromised after an intruder stole log-in credentials from its “point-of-sale vendor” and used the credentials to remotely access the point-of-sale systems and install malware at some corporate and franchised locations between June 16 and Sept. 5.

Home Depot Was Hacked by Previously Unseen ‘Mozart’ Malware

September, 2014

The Wall Street Journal reports federal security agencies warned retailers Wednesday that a previously unseen malicious software program they are calling Mozart was used in the attack on Home Depot earlier this year. The warnings came in a report by the Department of Homeland Security that drew on findings gathered by the Secret Service, which is investigating the breach, according to people familiar with the matter. The software appeared to be customized for the home improvement retailer’s systems. While it was designed to steal credit card numbers and accomplish the same goals as computer code deployed in other giant breaches, at each turn it carried out its mission in slightly different ways to evade security gear. Mozart was a phrase that appeared in the malware’s code and appeared to be a reference to a directory on the attacker’s system. Home Depot confirmed the report and said there were specific attributes of the malware that indicated it was customized to the retailer. For instance, it used file names that blended in with legitimate filenames and are unique to Home Depot’s technology, the company said. The attack on Home Depot ran for five months and may have compromised 56 million credit and debit cards, far bigger than the holiday season attack on Target Corp.

Home Depot: 56 Million Cards Breached

September, 2014

Data Breach Today reports Home Depot says an estimated 56 million payment cards were exposed in the data breach at its U.S. and Canadian stores. Home Depot, in an updated statement, says that to evade detection, the criminals involved in the cyber-attack against it used custom-built malware, which has not been used in other attacks. The company said that it has also completed a major payment security project that provides enhanced encryption of payment data at the point of sale in the company’s 1,977 U.S. stores. The retailer’s enhanced payment security is from Voltage Security. The encryption project, launched in January, was completed in all U.S. stores on Sept. 13. The project required writing tens of thousands of lines of new software code and deploying nearly 85,000 new PIN pads to stores, Home Depot says. Rollout of enhanced encryption to 180 Canadian stores will be completed by early 2015, the company says. All Canadian stores are already equipped with EMV technology; U.S. stores will have EMV in place by the end of this year.

Article archive by topic

Card Data Breaches

Card Fraud

Identity Theft

Network Security

Skimming

Smart Cards