Data Breach Today reports Park ‘N Fly is notifying an undisclosed number of customers that their payment card information was exposed following a compromise of the company’s e-commerce website. Airport parking lots are attractive targets for fraudsters because they are often used by business travelers utilizing business or commercial credit cards, says one card issuer who asked not to be named. “These cards are favored by fraudsters because of high lines, low decline rates and less scrutiny on a day-to-day basis by cardholders,” the issuer says. Park ‘N Fly, an offsite airport parking operator based in Atlanta, says that it has hired data forensics experts to assist with its investigation of the breach, which has been contained. Compromised information includes card numbers, cardholder names, billing addresses, card expiration dates and security codes. Other loyalty customer data that may have been exposed includes e-mail addresses, Park ‘N Fly passwords and telephone numbers.
BusinessWire announced Heartland Payment Systems, one of the nation’s largest payment processors, today announced it is the first company to offer a comprehensive warranty that protects businesses from payment card breach losses in the event of a breach. Heartland’s breach warranty is offered at no charge to its Heartland Secure™ merchants in the first year and can be extended for $8.33 per month per card-entry device. To be covered under the warranty, a merchant must have a Heartland Secure-certified device and process payments through Heartland on that device. Heartland Secure™ is a comprehensive credit/debit card data secure payment solution that combines three powerful technologies – EMV, the Heartland E3® end-to-end encryption technology and tokenization – working in unison to provide merchants with the highest level of protection for card-present transactions. If the encryption fails on a Heartland Secure machine, Heartland will reimburse the merchant for the amount of compliance fines, fees and/or assessments the merchant must pay to the card brands, issuing banks and acquiring bank(s).
SC Magazine reports a federal judge has capped the liability that Schnuck Markets’ is responsible to pay its payment-processing partners to $500,000 in relation to its data breach case. Judge John Ross ruled on Thursday that transaction processor First Data Merchant Services Corp. and merchant bank Citicorp Payment Services Inc. could only withhold up to $500,000 in funds, according to the St. Louis Business Journal. Any funds held in excess of that will now have to be returned to the company. Schnucks did not specify how much the third-parties were withholding. While the processing partners argued that its agreement with the company did not cover “third-party fees” and others related to fraud reimbursement, Judge Ross rejected the argument. Schnucks recently reached a settlement agreeing to pay customers for bogus charges and monetary losses resulting from its breach which exposed 2.4 million payment cards.
KrebsOnSecurity notes parking services have taken a beating last year at the hands of hackers bent on stealing credit and debit card data. A recent victim — onestopparking.com — comes compliments of the same organized crime gang thought to be responsible for stealing tens of millions of card numbers from shoppers at Target and Home Depot. The cybercrime shop best known for being the first to sell cards stolen in the Target and Home Depot breach moved a new batch of cards taken from an unknown online merchant. Several banks contacted by KrebsOnSecurity acquired cards from this batch, and determined that all had one thing in common: They’d all been used at onestopparking.com, a Florence, KY based company that provides low-cost parking services at airport hotels and seaports throughout the United States.
SC Magazine reports an undisclosed number of individuals who used their credit cards to book reservations through the website of hotel management company AMResorts may have had their personal information compromised. AMResorts parent company Apple Leisure Group (ALG) began receiving calls from customers regarding suspicious activity on their credit cards. ALG launched an investigation and identified activity in the AMResorts system that possibly indicates unauthorized access to the personal information. This information included names, addresses, credit card information, telephone numbers, email addresses and possibly dates of birth. An investigation is ongoing. Processes were changed so that access to credit card information is no longer possible. All potentially impacted individuals are being notified, and offered a free year of identity protection services.
Information Week’s Wall Street and Technology, notes stealing credit card and financial data is a profitable business. Everyone has seen headlines about breaches at Sony, Target, USPS, and JPMorgan. With JPMorgan Chase, personal information for 83 million customers was stolen. The recent attack at Sony Pictures is a stark reminder that the theft of IP is a real possibility — and the recent FireEye FIN4 report characterizes activities of a group that has been infiltrating Wall Street to steal confidential information on business deals and financial markets. Once you assume that your enterprise will be breached despite even the strongest security team and the best defenses, it’s time to get ready. Here are five tips on how to prepare for a data breach:
1. Have a strong incident response plan
2. Eradicate complacency
3. Collect data today—so you can investigate in the future
4. Use data to look for bad behavior
5. Make security a priority for everyone
KrebsOnSecurity reports sources at several U.S. financial institutions say they have traced a pattern of credit card fraud back to accounts that all were used at different Chick-fil-A fast food restaurants around the country. Chick-fil-A told KrebsOnSecurity that it has received similar reports and is working with IT security firms and law enforcement in an ongoing investigation. Reports began surfacing from banks about possible compromised payment systems at Chick-fil-A establishments in November, but they were spotty at best. Then, just before Christmas, one of the major credit card associations issued an alert to several financial institutions about a breach at an unnamed retailer that lasted between Dec. 2, 2013 and Sept. 30, 2014. One financial institution that received that alert said the bank had nearly 9,000 customer cards listed in that alert, and that the only common point-of-purchase was Chick-fil-A locations.
SC Magazine reports community banks took a hit in the aftermath of the Home Depot breach, absorbing more than $90 million in costs to reissue close to 7.5 million payment cards, according to the Independent Community Bankers of America (ICBA). The group said that of the banks it surveyed, more than four percent had reported detecting fraud on compromised accounts. The banks avoided a higher fraud rate, the ICBA contended, by quickly issuing new credit and debit cards. In a statement, ICBA Chairman John Buhrmaster, who is also president and CEO of 1st National Bank of Scotia in New York, said community banks absorb the costs of breaches upfront “because their primary concern is to protect their customers,” but that the money could be better spent on lending in local communities.
Data Breach Today notes it has been a year since the breach at Target Corp., which exposed 40 million debit and credit cards along with personal information about an additional 70 million customers. Although the attack drew attention to the need for bolstered cybersecurity measures, retail breaches show no signs of abating. Other major payments breaches at retailers since Target have included Sally Beauty, Michaels, Home Depot, Kmart and Staples, to name a few. Target was a watershed event that put the spotlight on payment card security. Here’s a review of seven important lessons learned from the huge breach incident:
1. EMV Alone Is Not Enough
2. Network Segmentation Is a Necessity
3. Third-Party Oversight Is Part of Compliance
4. Log Monitoring Needs Analytics
5. Executives, Boards Are Accountable
6. Retailers May Be Liable for Breaches
7. Cyberthreat Intelligence Sharing Must Improve
KrebsOnSecurity reports office supply chain Staples Inc. today finally acknowledged that a malware intrusion this year at some of its stores resulted in a credit card breach. The company now says some 119 stores were impacted between April and September 2014, and that as many as 1.16 million customer credit and debit cards may have been stolen as a result. Krebs first reported the suspected breach on Oct. 20, 2014, after hearing from multiple banks that had identified a pattern of credit and debit card fraud suggesting that several Staples office supply locations in the Northeastern United States were dealing with a data breach. At the time, Staples would say only that it was investigating “a potential issue” and had contacted law enforcement.