User Name: Password:
Credit Card
Credit Card

Card Data Breaches

UPS Reveals Data Breach

August, 2014

Data Breach Today reports UPS is warning that subsidiary UPS Stores suffered a point-of-sale malware attack that compromised numerous card transactions over a seven-month period. All told, 51 of its U.S. franchised center locations across 24 states were infected, which may have resulted in attackers compromising customers’ personal information and payment card details, including some Social Security and driver’s license numbers, thus placing them at risk of identity theft and fraud. About 105,000 credit card and debit card transactions were compromised in the data breach, according to UPS spokeswoman Chelsea Lee. The number of customers affected has not been revealed.

PF Chang’s Data Breach Lasted 8 Months

August, 2014

Help Net Security reports Asian-themed US restaurant chain P.F. Chang’s China Bistro has finally provided some more details about the breach it suffered earlier this year, including the 33 restaurant locations where the security of their PoS systems was compromised. The company first found out about the compromise on June 10, 2014, when it was alerted by the US Secret Service. On the very next day, they moved to a manual processing system for all credit and debit card transactions. Once the affected hardware was replaced, they went back to their standard card processing system. The subsequent investigation revealed that the initial intrusion dates back to October 10, 2013. The company believes that the thieves made away with card numbers and, in some cases, also the cardholder’s name and/or the card’s expiration date. The stolen card data has appeared for sale on well-known carder store Rescator(dot)so in June, and was sold for prices between $18 to $140 per card.

The True Cost of Data Breaches

August, 2014

Bank Systems & Technology notes cyber security and protecting customer data continues to be top of mind for not only banks, but retailers, software firms, and any company that stores valuable data. These days it seems that not a week goes by without a report of another high-profile data breach. While data breaches are costly for retailers and for banks that have to reimburse customer losses due to fraud, there is also a significant cost to consumers as well. Overall, the true cost of data breaches is significantly higher than one would think, according to multi-factor authentication provider Authentify. The firm estimates each breach costs about $5.4 million for the affected companies.

Supermarket Chain Reveals New Breach

August, 2014

Data Breach Today reports the Supervalu supermarket chain is investigating a network intrusion that may have resulted in criminals compromising customer data from point-of-sale systems in more than 1,000 stores. Supervalu says unauthorized access to its systems began not before June 22 and lasted until July 17 at the latest, and may have resulted in the theft of data from 180 Supervalu grocery stores – including franchised stores – as well as standalone liquor stores across seven states. Supervalu, which is based in Eden Prairie, Minn., earned $34.3 billion in 2013 revenues and is the third-largest food retailer in the U.S., acting as a wholesale supplier to a number of food stores, as well as operating stores under such brand names as Cub, Farm Fresh, Shoppers, Shop ‘n Save and Hornbacher’s. The data breach may also have affected customers of 836 Albertsons, ACME Markets, Jewel-Osco, Shaw’s and Star Markets stores in 21 states.

Black Hat: SAP Systems Vulnerable to Payment Card Theft, Rerouting Payments

August, 2014

SC Magazine notes stealing stored payment card data and rerouting payments in SAP systems is easy for Ertunga Arsal. In a demonstration at Black Hat 2014, Arsal, who has audited hundreds of corporate and government enterprise SAP systems and uncovered hundreds of vulnerabilities, used a tool to launch a remote shell on a SAP system. He was able to gain admin user access, which ultimately enabled him to tap into vendor payment histories, as well as bank accounts also maintained in the SAP system. In the end, he showed how an attacker could reroute payments. Although detection can take longer if there is no proper security measures, Arsal said rerouting payments is typically a “one-shot kind of attack to SAP systems” because eventually the recipient will realize they have not been paid. Improved auditing and more automation will help the problem, Arsal said.

Emerging POS Attacks Target Small Merchants

August, 2014

Bank Info Security reports a new point-of-sale malware strain known as Backoff has been linked to numerous remote-access attacks, putting small merchants at greatest risk, according to an alert from federal authorities. The alert from the Department of Homeland Security, the Secret Service and the Financial Services Information Sharing and Analysis Center notes that Backoff is a recently discovered family of POS malware that has now been identified in at least three separate forensic investigations. Investigations into recent retail compromises reveal that many attacks waged against retailers’ networks have been successful because of remote-access vulnerabilities. In incidents linked to Backoff, compromise of remote-access portals allowed attackers to install the memory-scraping malware directly to merchants’ payment terminals. Backoff, like other memory-scraping malware, steals magnetic-stripe card data collected for the completion of POS transactions.

Nearly 600 U.S. Businesses Compromised by ‘Backoff’ POS Malware

August, 2014

SC Magazine reports attackers are brute-forcing popular remote desktop software to infect point-of-sale (POS) devices with a relatively new malware known as Backoff, according to a recent alert issued by the United States Computer Emergency Readiness Team (US-CERT). So far attackers have compromised nearly 600 large and small businesses all located across the United States, Karl Sigler, threat intelligence manager with Trustwave, told SCMagazine.com, adding that the majority are food and beverage retailers. US-CERT identified the threat in collaboration with Trustwave, as well as the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), and Financial Sector Information Sharing and Analysis Center (FS-ISAC). The criminals gained initial access through remote access systems set up on many POS systems for support and troubleshooting purposes, according to Sigler. He said they would then run a brute-force attack on the remote access system’s passwords.

Michaels Breach Lawsuits Dismissed

August, 2014

Data Breach Today reports a district court in Illinois has dismissed a consolidated consumer class action lawsuit seeking damages from Michaels Stores Inc. for a card breach the arts and crafts retailer suffered starting in 2013. In a 20-page ruling, U.S. District Judge Elaine Bucklo says the six plaintiffs named in the consolidated suits failed to prove that they suffered “actual economic damage” as a result of using their credit and debit cards at Michaels during the time of the breach. In April, the arts and crafts retailer confirmed its stores were hit by a data breach that potentially compromised account information for 3 million payment cards between May 2013 and Feb. 2014. Michaels operates 1,262 stores under the Michaels and Aaron Brothers brands in 49 states and Canada. Last year, the company reported $4.6 billion in sales revenue. Bucklo says the suits failed to show that consumers suffered monetary losses as a result of the breach. Security experts say class action lawsuits filed by consumers in the wake of card breaches are increasingly dismissed by U.S. courts.

Target Request to Halt Discovery Denied

July, 2014

Data Breach Today reports a federal judge has denied Target’s motion to halt the discovery process in the class action lawsuits filed against the retailer in the wake of its December 2013 data breach. “The court has determined that discovery in this complex case should proceed and has set an ambitious schedule for that discovery,” says Paul Magnuson, U.S. district court judge in Minnesota, in a July 24 ruling. Target had recently requested that the court halt the discovery process until the court can consider its forthcoming motions to dismiss most of the suits. But the retailer has yet to file the motions to dismiss, Magnuson notes in his ruling. Financial institution and consumer plaintiffs in class action lawsuits filed against Target followed up with a July 18 memorandum arguing the discovery process should not be delayed.

Hotel’s Payment System Breached

July, 2014

Data Breach Today reports for six months, cyber-attackers breached the credit card payment system for the Houstonian Hotel, Club and Spa, accessing account information of an undisclosed number of customers. On June 10, the U.S. Secret Service notified the hotel regarding a potential breach in the organization’s payment processing systems. The Houstonian then took mitigation steps, according to a statement provided to Information Security Media Group. A forensics team determined that an intruder illegally penetrated the hotel’s internal computer systems between Dec. 28, 2013, and June 20, 2014. Credit card and payment information was compromised during that time, the hotel says. State and federal law enforcement investigations into the incident are continuing. The hotel is offering affected individuals one year of free credit monitoring services.

Article archive by topic

Card Data Breaches

Card Fraud

Identity Theft

Network Security

Skimming

Smart Cards