The Credit Union Times reports Winston-Salem, N.C.-based HanesBrands Inc. reported that a hacker compromised its customer order database in June 2015. The unidentified intruder gained access to information for approximately 900,000 online and telephone customers. HanesBrands president and general manager David Thompson contacted the company’s entire online customer base via email to notify them of the breach, but the company did not release a public statement. According to the Winston-Salem Journal, HanesBrands said the breach occurred during the last week of June. The report said the hacker gained access through the company’s website by posing as a “guest” customer who was checking an order. Affected customers bought items online or by telephone and used the “guest” option. The breach appears to have exposed personal information including customer names, addresses, phone numbers and the last four digits of the credit cards tied to the customers’ accounts.
Data Breach Today reports the prices for stolen payment card data and other cybercrime products and services on Russian underground forums continue to fall. But such marketplaces are thriving more than ever, in part, because they help attackers quickly and affordably organize their efforts. Those findings are included in a new report, Russian Underground 2.0, written by Max Goncharov, a threat researcher at the security firm Trend Micro. He notes that while the price of many cybercrime goods and services continues to fall – due to a glut of what is on offer – the lower prices, as well as increased automation and reliability, make it easier than ever for fraudsters to profit from cybercrime.
ThreatPost reports a potential data breach at a third-party provider has resulted in the shut down of retail photo-printing services at a number of chains, including CVS, Costco, Rite Aid, and several others. The breach reportedly hit PNI Digital Media, a Canadian company that provides the online photo platform for many retailers. The company was acquired by Staples in 2014. The first signs of the breach began appearing in the last couple of weeks, as CVS closed its online photo printing site and Walmart did the same for its stores in Canada.
Help Net Security reports Qendrim Dobruna, a member of an international cybercrime syndicate, was sentenced to 50 months in imprison and required to pay $14 million in restitution for his role in hacking into the computer systems of U.S.-based financial institutions, stealing prepaid debit card data, and eliminating withdrawal limits. The stolen card data was then disseminated worldwide and used in making fraudulent ATM withdrawals in excess of $14 million in a single weekend. The cybercrime organization cashed in by distributing the hacked prepaid debit card numbers to trusted associates around the world, who then immediately withdraw cash from ATMs across the globe.
Data Breach Today reports Trump Hotel Properties has confirmed that it is investigating reports that it suffered a data breach, leading to the theft and fraudulent use of its customers’ payment card data. News of the potential data breach at Trump Hotel Properties was first reported by security blogger Brian Krebs. He reported that multiple banks had spotted a pattern of fraud beginning in February, suggesting that payment-card data for customers of Trump Hotel Properties in multiple locations – including Chicago, Honolulu, Las Vegas, Los Angeles, Miami and New York – had been stolen. If the card-data breach at Trump Hotel Properties is confirmed, it would join a long list of businesses – including numerous other hotel chains, retailers and restaurants, ranging from P.F. Chang’s to Target – that have been breached by hackers and lost their customers’ card data.
SC Magazine reports Missouri-based work wear and accessories retailer Dungarees is notifying an undisclosed number of customers that its website was attacked, and credit and debit card information may have been compromised. Names, billing and mailing addresses, email addresses, credit and debit card numbers, card expiration dates and CVVs are at risk. The number of victims has not been disclosed. Dungarees first became aware of a possible breach on May 15, and later learned that additional manipulations were made to the website that were not apparent on that date. Customer information associated with orders placed on the website between March 26 and June 5 may have been affected. Dungarees has stated that the website was secured, and further safeguards have been put in place. All potentially impacted customers are being notified, and offered identity theft protection services. A customer notification letter said “After a recent migration of our website from one server to another, Dungarees was a victim of an illegal hack from a foreign entity, which may have resulted in a compromise to your credit card or debit card.”
Infosecurity Magazine notes hackers are really gambling on casinos these days. The latest in a spate of casino hits is Las Vegas’ Firekeepers Casino Hotel. Firekeepers is in the process of investigating a possible data security incident involving its point of sale systems that may have impacted its payment processing system for the casino, hotel, restaurants and shops. Any information submitted through the website was not part of the breach, it said in a statement. Given the high value customers casinos serve, stolen credit and debit cards from this sector are prized by attackers. According to Mark Bower, global director of product management for HP Security Voltage, high spend limits and top-tier cards with a proven rapid ‘stolen data-to-cash’ cycle make casinos a prime target for attacks.
KrebsOnSecurity reports Fred’s Inc., a discount general merchandise and pharmacy chain that operates 650 stores in more than a dozen states, disclosed that it is investigating a potential credit card breach. KrebsOnSecurity contacted Fred’s after hearing from multiple financial institutions about a pattern of fraud on customer cards indicating that Fred’s was the latest victim of card-stealing malware secretly installed on point-of-sale systems at checkout lanes. Sources said it was unclear how many Fred’s locations were affected, but that the pattern of fraudulent charges traced back to Fred’s stores across the company’s footprint in the midwest and south, including Alabama, Arkansas, Georgia, Indiana, Kentucky, Louisiana, Mississippi, Tennessee and Texas.
The Credit Union Times reports amidst the uproar over the massive government worker data breach, smaller intrusions continue to take place, such as a recent cyber attack against a restaurant chain’s credit card system that prompted the FBI to issue a warning. The announcement warned that criminal hackers are using new malicious software named after the TV character Punky Brewster, but spelled “Punkey,” to steal personal financial data. Investigators have high confidence that Punkey recently infiltrated the network of an unidentified restaurant chain. The new Punkey malware, uncovered by Chicago security firm Trustwave, scans and “scrapes” un-coded, plaintext credit card information in the RAM of payment-processing devices such as card readers and POS terminals. The malware inserts itself into computers, performs system scans, encrypts hacked information, and then connects to remote servers used to store and retrieve stolen credit card data. Cybercriminals then post appropriated data for sale online.
Bank Info Security reports MasterCard’s $19 million breach-expense settlement with Target on behalf of its card issuers has been derailed after an insufficient number of banking institutions chose to accept the terms of the deal. One payments security expert says MasterCard will likely renegotiate its settlement to avoid lengthy litigation. Meanwhile, an attorney representing banks and credit unions involved in a class-action lawsuit against Target, which seeks to recoup breach-related expenses, says the suit will push forward. John Buzzard, who heads FICO’s Card Alert Service, says MasterCard is likely to offer a new settlement that better meets the expectations of issuers. Charles Zimmerman, co-lead counsel for the banking institution plaintiffs in the class-action suit against Target, says banks and credit unions agreed the settlement was unfair. They decided they would rather push forward with their class-action suit, rather than agree to a settlement that provides inadequate reimbursement for their substantial breach-related expenses.