Krebs on Security reports that two months after reporting that multiple banks suspected a credit card breach at Hilton Hotel properties across the country, Hilton has acknowledged an intrusion involving malicious software found on some point-of-sale systems. According to a statement released after markets closed, the breach persisted over a 17-week period from Nov. 18, 2014 to Dec. 5, 2014, and April 21 to July 27, 2015. Hilton said the data stolen includes cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs). The company did not say how many Hilton locations or brands were impacted, or whether the breach was limited to compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton.
Data Breach Today reports Starwood Hotels and Resorts has confirmed a point-of-sale malware intrusion that likely stole payment card data from a limited number of its hotels in North America. But card issuers say they don’t believe the Starwood breach is isolated, and that fraud patterns indicate that another, perhaps larger, breach is impacting cards across the country. On November 20, Starwood posted a notice to its website, telling customers that malware had infected certain restaurants, gift shops and other POS systems at Starwood properties, which include locations in New York, New Jersey, Texas and California. According to Starwood there is no indication at this time that the company’s guest reservation or Starwood Preferred Guest membership systems were impacted. Starwood stated the malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date. They said there is no evidence that other customer information, such as contact information or PINs, was affected by this issue.
The Credit Union Times reports the Chicago-based information security company Trustwave uncovered a POS memory-scraper malware dubbed “Cherry Picker.” Trustwave is currently analyzing one case of Cherry Picker, which has been undetected by antivirus systems and security companies since 2011. It has targeted the food and beverage industry, but Trustwave warned any business with a POS application processing credit card numbers is at risk. Similar to how a cherry picker positions himself to make an easy goal in a basketball or soccer game, the malware scouts an infected system and pinpoints exactly which processes to target in order to successfully steal credit card information. The malware can also steal privileged credentials, allowing criminals remote access to a customer’s network – something that has become a trend in the cybercrime space. Cherry Picker uses configuration files, encryption, obfuscation and command line arguments to stay away from companies’ radars, giving the malware a very low detection rate. Trustwave also learned the malware has consistently improved and morphed into three slightly different variations since 2011, making it even more difficult to detect.
SC Magazine reports the First National Bank of Omaha is issuing new debit cards to customers in seven states after a large data breach at an unidentified national firm. The bank’s security itself was not compromised by the incident and is limited to consumers who have done business with the company targeted in the attack, the Omaha World-Herald reported. “We have learned that potential exposure by a third party not associated with First National Bank may have caused your debit card to be at risk for possible unauthorized use or fraudulent activity,” the bank said in a letter to customers. The letter didn’t specify how many people were affected. A bank spokesman told the Omaha World-Herald that First National decided to reissue debit cards to prevent incidents during the holiday season. Credit cards are not being reissued. The investigation is ongoing.
Data Breach Today reports TalkTalk Telecom Group has been hit with a ransom demand, following a “significant” hack attack that remains under investigation. The London-based telecommunications provider has warned that information for up to 4 million customers may have been compromised in the data breach, including payment card accounts and bank details. To date, however, it’s not clear if the ransom demand has been lodged by whomever hacked the company. After saying Oct. 21 that it was investigating a potential breach, TalkTalk on Oct. 23 issued a warning confirming that it had suffered a “significant and sustained cyberattack on our website.”
The Credit Union Times reports a data breach compromised information belonging to about 300 members of the Lenexa, Kan.-based Mainstreet Federal Credit Union, according to President/CEO John Beverlin. Beverlin told CU Times hackers did not break into the credit union’s systems and that the fraudsters likely purchased members’ information somewhere online. Now the criminals are trying to capitalize on it, he said, and they’ve rung up more than $200,000 in fraudulent charges so far. “Our systems were not hacked,” Beverlin emphasized. “They’re using data that they evidently received through a merchant breach. All the transactions, the monetary ones, are through some place in Shanghai, China.” Beverlin said card services notified the $378 million credit union, which has about 58,000 members, of suspicious activity on Columbus Day. The credit union is still determining the source of the breach and whether it can tie the affected accounts back to a specific retailer, according to Beverlin. How the criminals got the information is still a mystery, though.
Krebs on Security reports multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims. In August, Visa sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity that is known to have extended from April 21, 2015 to July 27, 2015. The alerts to each bank included card numbers that were suspected of being compromised, but per Visa policy those notifications did not name the breached entity. However, sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: they were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts.
The Credit Union Times reports ACI Worldwide’s 2015 Global Payments Insight Survey takes a broad look at the payments landscape around the globe, part two of which includes the retail industry’s perspective of the payments market globally. The payments evolution has captured the attention of ACI Worldwide and the United Kingdom-based research firm Ovum, which collaborated with ACI on the study. The report’s information was derived from more than 1,100 executives who represent leading banks, billing organizations and retailers from the Americas, Europe, the Middle East, Africa and the Asia Pacific. ACI Worldwide approached the retail portion of the survey with the consideration that when it comes to payments, the retailer’s voice is rarely heard or understood. “Much of the media hype around the revolution in payments remains fixed on either consumers or individual payment segments with little context or real consideration to how these technologies will play out across the global payments value chain,” the study stated. It is essential, the study said, that more attention be given to payments as a critical aspect of retail, an industry for whom maintaining the “status quo” is no longer an option.
The United States Department of Justice announced a Russian national recently admitted his role in a worldwide hacking and data breach scheme that targeted major corporate networks, compromised more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses – the largest such scheme ever prosecuted in the United States. Vladimir Drinkman, 34, of Syktyvkar, Russia, and Moscow, pleaded guilty before Chief U.S. District Judge Jerome B. Simandle of the District of New Jersey to one count of conspiracy to commit unauthorized access of protected computers and one count of conspiracy to commit wire fraud. Drinkman was arrested in the Netherlands on June 28, 2012, and was extradited to the District of New Jersey on Feb. 17, 2015. “This hacking ring’s widespread attacks on American companies caused serious harm and more than $300 million in losses to people and businesses in the United States,” said Assistant Attorney General Caldwell. According to documents filed in this case and statements made in court, Drinkman and four co-defendants allegedly hacked into the networks of corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information that the conspirators could exploit for profit, including the computer networks of NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.
The Credit Union Times notes Target agreed to pay issuers an amount over and above what they may already have coming from Visa for costs related to the retailer’s huge 2013 data breach. However, some close to the deal aren’t calling that a win. The offer essentially supplemented Visa’s Global Compromise Account Recovery program, or GCAR, which partially reimburses issuers for fraud and incremental operating expenses associated with breaches. However, the program didn’t cover compromised accounts that had debit transactions routed over non-Visa networks such as STAR, PULSE or NYCE. According to a recording and transcript CU Times obtained of a call between Visa and card issuers, Target offered $2.50 for each of those eligible accounts — if issuers agreed to release the retailer and its financial partners from further legal claims related to the 2013 breach. According to last week’s call, issuers that don’t want to take Target’s offer, dubbed the Alternative Recovery Offer, will still get the full amount they’re eligible for under the GCAR program. But they only have until Sept. 4 if they want the extra money and are willing to forgo legal action.