Tag Archives: Point of sale

Breach Brief – U.S. Navy, Madison Square Garden

us-navy-logoThe United States Navy announced on Wednesday that hackers have gained access to sensitive personal information of more that 130,000 current and former sailors. The information lost includes names and social security numbers.

According to Navy officials the information was contained on the laptop computer belonging to Hewlett Packard Enterprise Services a Navy contractor. The firm first notified the Navy on October 27.

Chief of Naval Personnel Vice Admiral Robert Burke issued a statement saying; “The Navy takes this incident extremely seriously. This is a matter of trust for our sailors.” He then went on to add that the investigation is still in its “early stages.”

The Navy is reacting by following all required procedures to notify and protect sailors affected by the breach.  Officials stated that additional information on the breach would be provided to affected sailors as it becomes available. Sailors will also receive credit monitoring service options in the future. The Navy insisted;  “There is no evidence to suggest misuse of the information that was compromised.”

This is the second major loss of Navy data involving Hewlett-Packard. According to the Navy Times HP reported to the Navy in 2013 that Iranian hackers compromised the unclassified Navy and Marine Corps Intranet.  Navy Times reported the personal data came from the Career Waypoints database, known as C-WAY, which sailors use to submit re-enlistment and Navy Occupational Specialty requests.

msgThe iconic Madison Square Garden Company reported malware in its payments systems has been capturing payment-card data for more than a year.

On Tuesday MSG warned customers the breach had exposed customer data found on magnetic strips of credit cards. Data collected included card numbers, cardholder names, expiration dates, and internal verification codes.

Madison Square Garden properties affected include the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater. MSG has not announced how many cards are compromised but millions of people visit the properties annually.

Breach Brief – Wendy’s

Wendy's_logo_2012.svgIt seems that the Wendy’s data breach was worse than thought. The AACR first reported the data breach in January.  Now we are seeing the real damage. Wendy’s has admitted that the data breach was first suspected of affecting only a few hundred of its restaurants. Now the truth comes out and the number is over 1,000.

Wendy’s has released a searchable list of all the restaurants affected by the breach.

Originally Wendy’s believed that only 300 of its 5,700 franchises were breached. Wendy’s notified its customers and the public in February of the breach when it discovered evidence of malware in its POS systems.

Wendy’s has issued the following statement regarding the expanding breach.

“Based on the facts known to Wendy’s at this time, the additional malware targeted the following payment card data: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. Please note that the cardholder verification value that may have been put at risk is not the three or four-digit value that is printed on the back or front of cards, which is sometimes used in online transactions.”

After detecting the presence of the malware Wendy’s claimed to have disabled it. Wendy’s believes that the malware attack first took place in the fall of 2015. Wendy’s also believes that it detected evidence of at least two separate malware attacks on its systems.

Customers of the fast food chain affected by the breach will receive are a year’s worth of “identity consultation” from Kroll Identity Theft Restoration if necessary. According Wendy’s “an experienced licensed investigator will work on your behalf to resolve related issues.

 

Breach Brief – Wendy’s, Centene

Wendy's_logo_2012.svg

January 29, 2016

Wendy’s

Yet another point-of-sale system appears to have been hacked. Wendy’s fast food restaurant reports that its POS system has come under suspicion for a possible breach of customer card data.

Wendy’s spokesman Bob Bertini said, “We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations. Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.” Bertini did not name the security firm that is working with Wendy’s

According to Krebs on Security the first reports of the suspicious activity on customer’s cards came from financial institutions in the mid-west. However reports have begun to surface from banks on the east and west coasts. Currently there is no information on how many restaurants are affected.

Krebs On Security first reported the incident and believes that the restaurant’s POS system may have been infected by malware that collected credit card numbers. Wendy’s is not alone when it come to this type of attack.  Other restaurants and retailers hit by this style of attack include Jimmy John’s, Landry’s, P.F. Chang’s, Dairy Queen, Chick-fil-A, retail giant Target and Home Depot.

Wendy’s operates approximately 6,500 franchise and company-operated restaurants in the United States and 28 countries and U.S. territories worldwide.

Centene_Corporation_Logo.svg

Centene

The health insurer Centene is desperately searching for six hard drives that contain the personal information of over 1 million of its customers. The company has admitted to an “ongoing comprehensive internal search” for missing hard drives. 

St. Louis based Centene said the missing hard drives contain personal data about people who received laboratory services between 2009 and 2015. The drives contain patient information including names, addresses, dates of birth, social security numbers, member ID numbers and health information. According to Centene CEO Michael F. Neidorff, the company doesn’t believe the information has been used “inappropriately.”

Customer affected by the data loss will receive free credit and healthcare monitoring. 

The healthcare industry continues to be plagued by massive data breaches. For more on this topic please see;

Large-Scales Hacks Cause 98% of Leaked Healthcare Records.

Over 113 Million Healthcare Records Breached in 2015, Up Ten Fold from 2014

One in Three Americans are Victims of Healthcare Data Breaches

Identity Thieves Pray on Patient’s Medical Records

App of the Week – PaidEasy

Save easyDining out is not as easy as it looks especially when you are dining with friends. You know the ones who look the other way when the check comes. Then there is keeping track of what everybody ordered and making sure the check, with tip, is correct. Then you have to take the risk of surrendering your card to a stranger who disappears and returns with the check and a smile. What happened to your card when it was out of sight? That’s why PaidEasy is the App of the Week.

PaidEasy is the new comer to the mobile payments arena but the rookie has got game. The PaidEasy app is described as  “the quickest way to discover merchants, search offers, and open and close bills.”

This payment app uses iBeacon technology to swing into action the second you walk in the door syncing with the merchant’s point-of-sale (POS) system. This rapid fire sequence allows the waitstaff to immediately add items to the bill without having to disappear with your credit card after the meal is finished.

And for those  freeloading friends of yours separate checks is really easy for everybody concerned. The customer can pay immediately with PaidEasy or, get this, just walk out the door knowing that the tab will close within 45 minutes (and include a tip).

But the miracles don’t stop there. PaidEasy provides the merchant with improved table management giving restaurants the ability to address walk-ins and cut down on table turnover.

Want more? The app integrates with Uber, Yelp, and Apple Pay easing the trip to the restaurant. Paid Easy allows customers get to the restaurant, place there order, and choose their payment method. PaidEasy even takes the surprise out of the price by allowing customers to view their bill at any time during the meal.  The final glorious benefit of PaidEasy that the app encrypts the customers credit card data so payment information never visible to the merchant.

PaidEasy is free and currently only available for Apple.

 

 

Breach Brief – Hilton Worldwide, Trump Hotel Collection

September 29, 2015

Hilton Worldwide

PrintHilton Worldwide, a global hospitality company is investigating a possible data breach at its properties. The data breach may have compromised payment card data of its customers.

The data breach was reported by Cybersecurity blogger Brian Krebs on Friday. According to KrebsOnSecurity.com credit card provider VISA alerted financial institutions of a breach between April 21, 2015 and July 27, 2015, and included compromised card numbers. Hilton Hotels have not confirmed any data breach.

The data breach is not isolated to Hilton hotels alone. Besides the flagship Hilton Hotels, the subsidiaries include Embassy Suites, DoubletreeHampton Inn and Suitesand the upscale Waldorf Astoria Hotels & Resorts. All are thought to be affected by this breach. Hotel gift shops, bars and restaurant point of sale (POS) systems may have been affected.

Although Hilton has said nothing officially several financial institutions told KrebsOnSecurity.com that the breach may date as far back as November 2014, and the hotels may still still be at risk.

Hilton has released a vague statement that neither denies nor acknowledges a data breach occurred.

“Hilton Worldwide is strongly committed to protecting our customers’ credit card information. We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.”

Trump Hotel Collection

Trump HotelUnlike Hilton Hotels Trump Hotel Collection has confirmed a malware data breach of their POS systems. The hotel confirmed the data breach after three months of investigations and the system may have been infected by malware for over a year.

The Trump Hotel Collection posted a undated “legal notice of potential security incident” on its website. The notice warned of POS breaches at  hotels in  Chicago, Honolulu, Las Vegas, New York, Miami, and Toronto. The notice did not give a specific number of customers who may be affected by the breach.

A statement from Trump Hotels said, “Payment card data, including payment card account number, card expiration date, security code, and names of individual cardholders who used a payment card at the hotel between May 19, 2014, and June 2, 2015, may have been affected.”  The hotel also warns that attackers may have also obtained cardholders’ names at the Las Vegas and Honolulu hotels.

A year of identity theft protection from Experian is being offered to all customers who used a payment card at those properties during the malware-infection period. A breach-notification letter is being sent to affected consumers by the law practice of Norton Rose Fulbright, which was posted by California’s Office of the Attorney General.

September 22, 2015

Systema Software

Systema SoftwareA mysterious data breach has compromised private health records and contact information of as many as 1.5 million Americans. The data was posted on Amazon’s cloud services. The insurers affected by the data breach include Kansas’ State Self Insurance FundCSAC Excess Insurance Authority, and the Salt Lake County Database .

The data exposed included police injury reports, drug tests, names, addresses, phone numbers, biological health information including existing illnesses and current medications used by the patients. The information was posted to Amazon servers by insurers using Systema Software. Systema provides insurance claims administration systems to insurance corporations and governments. The breach could violate HIPAA laws.

It is unknown how or who posted the information and the number of affected patients remains unconfirmed. It is estimated that as many as 1 million Social Security numbers, 5 million financial transactions, and hundreds of thousands of injury reports were exposed. According to Databreaches.net the data included billing prices, various patient identification numbers, and some 4.7 million note entries including data on fraud investigations.

For more information please see Gizmodo.com

 September 10, 2015

Excellus Blue Cross Blue Shield

ExcellusBCBSExcellus BlueCross BlueShield reported a long running cyber-attack that began in December 2013 but wasn’t discovered until Aug. 5, 2015. The breach may have exposed information on as many as  10.5 million individuals. Information exposed includes individual’s names, addresses, birthdates, Social Security numbers, member IDs, financial account information, claims data and clinical information.

Cyber security firm Madiant was hired to conduct a forensic assessment of Excellus’ IT systems and discovered the breach. Excellus which is based in Rochester, N.Y., took the action after a wave of similar major cyber-attacks on other health insurers, including Anthem Inc.Premera Blue Crossand CareFirst Blue Cross Blue Shield.

According to an Excellus spokesman of  the 10.5 million people affected 7 million were health plan members. Data belonging to another 3.5 million individuals belonged to Excellus’ holding company, the Lifetime Healthcare Companies. The individuals affected are Blue Cross Blue Shield plan members who sought treatment in the New York state service area. In a statement Excellus said,  “Individuals who do business with us and provided us with their financial account information or Social Security number are also affected.” Company officials said the that the data was encrypted but that hackers had access to administrative controls making the encryption a moot point.

 The company is cooperating with an FBI investigation.

California State University

California_State_University_SealOfficials of the Chancellor’s office of the California State University System confirmed on Tuesday that a third-party vendor had exposed the personal information of 79,000 students in late August. 

We End Violence, the San Diego based company that operated with the university to offer the course, has contacted students affected by the breach. The chancellor’s office said officials took immediate action to safeguard student information. 

The CSU Chancellor’s Office in Long Beach said the breach, discovered on August 28th, included information such as sexual orientation, gender, email and mailing addresses. According to school officials the breach did not reveal Social Security, driver’s license numbers or credit card data. The data breach affected students at eight CSU campuses who had enrolled in a required sexual assault training class. The affected campuses included Cal State San BernardinoCal State NorthridgeCal Poly Pomona and Cal State Los Angeles.

August 24, 2015 

IRS Breach

IRS_LogoThe Internal Revenue Service (IRS) widened the scope of the breach first announced in May. The government agency is saying that as many as 390,000 taxpayers are now at risk. The hack was centered around the IRS’ Get Transcript system.

The IRS suspended the Get Transcript online service in May. The service was intended to simplify how taxpayers retrieve their tax records, review their tax account transactions, get line-by-line tax return information or wage and income reported to the IRS for a specific tax year.  Hackers circumvented the Get Transcript’s authentication safeguards and are believed to have gained access to taxpayer information, including Social Security numbers.

According to an August 17th statement the IRS stepped up its investigation of the breach. A deeper review of the compromised system included analyzing over 23 million system uses, including the 2015 filing season. Investigators were looking for suspicious activities and identified “more questionable attempts” to obtain taxpayer records through the Web application.

No details were provided on how the agency uncovered the additional taxpayer account breaches. But it is believed that the hackers were very skillful and probably covered their tracks to make it more made it difficult for the tax agency to quickly assess the extent of the breach.

Update-Ashley Madison Breach

ashley-madison-hed-2014Hackers who stole profile and customer data from Ashley Madison have released the data online. According to multiple reports a 10GB file of customer’s personal data including email addresses, member profiles and transaction data is now available online. Some reports say as many as 32 million customer’s information was released including one million UK civil servants, U.S. officials, members of the U.S. armed forces and top executives at European and North American corporations. There already reports of blackmail and divorce petitions because of the data release.

Impact Team, the hacker group claiming credit for the data theft,  released the data after Avid Life Mediawhich owns Ashley Madison and Established Men failed to meet demands that they permanently shut the sites down down. Cougar Life, another Avid Life Media site, was not mentioned and seems to be unaffected.

Additional information;

The Blackmail of Ashley Customer Has Already Begun

People are already starting divorce proceedings because of the Ashley Madison leak.

After the devastating hack, these lawsuits are threatening to wipe Ashley Madison out altogether.

A chart made from the leaked Ashley Madison data reveals which states in the US like to cheat the most.

The Pentagon Is Investigating the Ashley Madison Leak.

How to check if an account was exposed in the Ashley Madison hack

August 4, 2015

United Airlines

united_continental_logo_detAccording to Bloomberg Business United Airlines has reported that it’s customer flight records have been lost to a data breach.

The breach was detected in May or June of this year and involved flight manifests. Chinese hackers are suspected. These same Chinese hackers are suspected of stealing more than twenty million OPM records. Experts believe that Chinese intelligence is constructing a massive database.

United Airlines is one of the government’s largest contractors. It is believed that the stolen data contains vast amounts of information on military and government officials and federal employee’s travel.

Experts have also questioned a possible connection between the hack and the computer glitch that caused flight delays on July 8th. Evidence from the investigation reveal that hackers may have been inside United’s computers for months.

A spokesman for United Airlines declined to confirm that a breach occurred and insisted that customer’s private data is safe.

One of the major concerns is that hackers, tinkering with sensitive systems, could accidently or deliberately, cause massive flight delays or even cripple a major airline causing nationwide and potentially global aviation gridlock. Another concern is backdoors left inside computer networks that allow hackers back in at will.

United spokesman Luke Punzenberger said of customer information that United “would abide by notification requirements if the situation warranted.”

Medical Informatics Engineering

mielogolargeA data breach at Medical Informatics Engineering has compromised the data of over 3.9 million people nationwide. According MIE the information loss includes names, phone numbers, mailing addresses, user names, hashed passwords, security questions and answers, email addresses, birthdates, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions, and spouses’ and childrens’ names and birthdates.

MIE creates electronic medical records software for health care providers and the result of the breach could impact as many as 11 healthcare providers including local, national and the federal government.

According to the company the hackers had access to the MIE servers for three weeks and have stolen the information to sell on the black market. Experts suspect the theft was likely and inside job.

MIE has reported the breach to the FBI Cyber squad and said the investigation into the security breach is ongoing. MIE  is offering free credit monitoring and identity theft protection. The company has established a toll free hotline available Monday-Friday 9:00AM-9:00PM EST at (866) 328-1987.

 July 28, 2015

Experian

ExperianLogo

Experian Credit Reporting Services is the target of a class action lawsuit filed in California. The amount is to be determined. According to the suit Experian was negligent and violated consumer protection laws because it failed to realize that for nearly a year a customer of it’s data brokerage subsidiary, Court Ventures, was actually a criminal gang specializing in selling consumer data to identity thieves. Experian purchased Court Vnetures in 2012.

The leader of the identity theft ring was sentenced to 13 years in prison last week in New Hampshire. Hieu Minh Ngo accessed as many as 200 million consumer records by posing as a private investigator based in the United States.

According to the government Ngo collected nearly $2 million from his scheme. The IRS has confirmed that 13,673 U.S. citizens had their personal information stolen and sold on Ngo’s websites Superget.info and Findget.me. The stolen identities were used to file over $65 million dollars in fraudulent tax returns.

Plaintiffs in the case have asked the court to compel Experian to notify all consumers affected by the breach, provide free credit monitoring services, turn over all profits made as a result of the Ngo relationship and to establish a fund to reimburse victims for the time and expenses of fighting fraud and correcting identity theft caused by customers of Ngo’s ID theft service.

U.S Census Bureau

2000px-Census_Bureau_seal.svgThe U.S. Census Bureau reported a data breach early last week. In a written statement released on Friday Census Bureau Director John H. Thompson said a database belonging to the Federal Audit Clearinghouse had been attacked. The FAC collects audit reports from the government agencies and other organizations spending federal money. 

According to Thompson the information included the names of people who submitted information, addresses, phone numbers, user names and other data. According the Bureau no household or business data was lost.

In the statement Thompson wrote that the intruders accessed the database through a configuration setting on an external IT system. That system is separate from the Census Bureau internal systems that stores census data.

In the statement Thompson went to say, “Over the last three days, we have seen no indication that there was any access to internal systems.”

The attack was apparently in protest of the Trans-Pacific Partnership and the Transatlantic Trade and Investment PartnershipBoth are pending trade agreements that have been widely criticized. A group calling itself Anonymous Operations claimed credit for the breach and posted a link on Twitter to four of the stolen files.

July 20, 2015

Ashley Madison

ashley-madison-hed-2014A hacking group calling itself the Impact Team has hacked into the sex hookup website AshleyMadison.com.

According to Krebsonsecurity.com massive caches of customer and company data have been stolen and posted online. The group claims to have totally penetrated the company’s networks taking control of the company’s customer database of 37 millon users, financial records and other proprietary information. As a website dedicated to cheating spouses the damage could go well beyond lost data.

Avid Life Media, which in addition to Ashley Madison also owns hookup sites CougarLife.com and EstablishedMen.com, was attacked in retaliation for lying to customers. According to the Impact Team hackers ALM advertised to customers  a service allowing members to completely erase their profile information for a $19 feeAccording to the hackers the company is not fully deleting user’s information including personally identifiable information, user’s purchase details and real name and address.

The hackers have demanded that Ashley Madison and Established Men websites be taken down immediately and permanently or more information will be released online.  The hackers are threatening to release customer records, including profiles with their secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.

Avid Life Media CEO Noel Biderman believes the attack maybe the work of one or more persons, possibly an employee or contractor, who had legitimate access to the company’s network.

July 18, 2015

CVSPhoto.com, Costocophotocenter.com, RiteAid Photo, Sams Club, Walgreens & Tesco

CVS PhotoPNI Digital Media  is a third party vendor that handles transactions for these retailers according to KrebsOn Security.com PNI has suffered a data breach of unknown size. But it is known that customer payment information has been compromised.

Neither PNI nor any of the retailers connected with the breach have said much only saying that more information will be released as it becomes available. CVSPhoto.com took down its photo site and posted an announcement indicating an investigation is under way and that other CVS sites such as it’s pharmacy were unaffected by the breach. CVS has asked customers who used the photo service to check and monitor their card statements for suspicious activity or transactions. If anything looks strange they are to contact their bank or card company immediately to report it.

Costcophotocenter.com and RiteAid photo also took their sites down.

UCLA Health

UCLA Health has confirmed health information for as many as 4 million individuals has been exposed as a result of a data breach that may have began last September. The FBI is investigating and UCLA has hired a private forensics experts to beef up the security on it’s servers.

According to a UCLA Health statement released on Friday “criminal hackers” hacked into parts of the organization’s computer network containing personal and medical information.

UCLA Health began investigating suspicious activity on its networks in October of 2014. At the time they  did not believe the attackers gained access to areas of the network containing personal and medical information.

“As part of that ongoing investigation, on May 5, 2015, UCLA Health determined that the attackers had accessed parts of the network that contain personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information. Based on the continuing investigation, it appears that the attackers may have had access to these parts of the network as early as September 2014. We continue to investigate this matter.”

Office of Personnel Management

Even though OPM suffered a data breach and the loss of information of 24 million Americans the government still has not notified those invividuals. Its been two months.

Officials from multiple agencies familiar with the investigation say that OPM is working with other agencies to set up a system to inform the victims.

An OPM official, who wishes to remain anonymous, said that because of the complicated nature of the data and movement of contract and federal employees it would be weeks before a mechanism was in place.

According to the official the government is attempting to establish a central notification system rather than rely on separate agencies to make notifications. An outside contractor  is being considered for the task but OPM has not yet asked for bids for the job.

July 16, 2015

OPM Data Breach

An interagenOPM Sealcy task force investigating April’s OPM hacking has determined with “high confidence” that as many as 21.5 million people had their personal information stolen. This includes social security numbers .

The Office of Personnel Management updated its website last Thursday with the startling new information.

According to the OPM 4.2 million former federal employees’ personnel data was stolen. While investigating that theft investigators found a much larger data theft. OPM has not yet notified the 19.7 million additional individuals affected. Those are the people who requested a background check normally for employment purposes or acces to classified information. An additional 1.8 were people were not job appicants but were either married to or co-habiting with an applicant.

In addition to personal information the hackers stole as many as one million fingerprint records.

Applicants who applied for employment had their user names and passwords for investigation forms stolen. It is also highly possible that information such as mental health history and financial history many have also been stolen. Applicants that were interviewed as part of their background investigations often reveal this sensitive information when applying for security clearences.

OPM attempted to take some of the sting from the bad news by saying “there is no evidence that health, financial, payroll, and retirement records of federal personnel or those who have applied for a federal job were impacted by this incident (for example, annuity rolls, retirement records, USAjobs, Employee Express).” The agency assures the public that it’s working to create safeguards to prevent such incidents in the future.

OPM Director Katherine Archuleta resigned her position last week after whitering criticism over the data breach.

Army National Guard Data Breach

Seal_of_the_United_States_Army_National_Guard.svgCurrent and former members of the Army National Guard members dating back to 2004 had personal information including social security numbers, birthdates and home addresses stolen. 

National Guard Spokesman Major Earl Brown, said “The National Guard Bureau takes the control of personal information very seriously,” said Brown. “After investigating the circumstances of these actions, and the information that was transferred, the Guard has determined, out of an abundance of caution, to inform current and past Guard personnel that their Personally Identifiable Information (PII) was among the files that were transferred.”

“The issue was identified and promptly reported, and we do not believe the data will be used unlawfully,” Brown said. “This was not a hacking incident, in which the intent was to use data for financial gain. Nonetheless, the Guard believes that individuals potentially affected need to know about the breach and what actions they can take to protect themselves from potential identity theft.”

If you are a member of the Nationa guard and need more information please  go to http://www.nationalguard.mil/Features/IdentityTheft.aspx or call  toll-free 877-276-4729 8AM to 4PM EST, Monday through Friday. You can also email any questions you have to dod.data.breach.questions@mail.mil

Credit card data may be compromised

ALERT! Sally Beauty Breached Again ALERT!

Credit card data may be compromisedThe African American Cyber Report reported in March of 2014 of a data breach at Sally Beauty Supply stores. So here we go again!

One year later Sally Beauty Supply is again revealing that a network intrusion exposed customer payment card data and is now investigating fresh breach reports. Sally Beauty has over 4,800 U.S. stores reporting 2014 revenue of $3.6 billion.

Sally Beauty first began to receive warnings of a possible breach during the week of April 27th . In a May 4th announcement store executives admitted to investigating “unusual” card activity linked to payment cards used at some of its U.S. stores. 

“Since learning of these reports, we have been working with law enforcement and our credit card processor and have launched a comprehensive investigation with the help of a leading third-party forensics expert to aggressively gather facts, while working to ensure our customers are protected. Until this investigation is completed, it is difficult to determine with certainty the scope or nature of any potential incident; but we will continue to work vigilantly to address any potential issues that may affect our customers.”

The beauty supplier vowed to provide additional updates “in the coming days” via its website and directly to affected customers. “We will be providing notifications to any affected consumers and others, as appropriate, as the facts develop and we learn more.” The chain also requested that any customer who discovers fraudulent activity that they believe relates to Sally Beauty should contact its customer service hotline after alerting their card issuer or bank.

Cyber security experts point out the suspecious timing of the second data breach. George Rice, senior director of payments for data-encryption firm HP Security Voltage pointed out, “Sally Beauty experienced two breaches within a short period of time. It is entirely possible that Sally Beauty never fully eradicated the malware on their POS from the first time.” 

John Buzzard, head of card-alert service at analytics software company FICO, agrees stating “We are all really perplexed when we see breaches that appear to the naked eye to be a repeat situation.” Buzzard continues, “As Sally’s story line evolves, we may learn that the level of customization in the malware that allegedly affected them in 2014 was so complex that it was able to evade a stringent mitigation process. I can’t ascertain if lightning did, indeed, strike twice here; so it’s just a waiting game to see how this can be explained.”

A Sally Beauty spokesman told the Information Security Media Group that “it would be premature to speculate” about whether the 2014 and 2015 breach reports might be linked, and declined to detail which digital forensics investigation firm it brought in to investigate the latest breach reports. The 2014 breach was investigated by Verizon .

The question most customers have is; why did this happen again? In the company’s 2014 annual report, released in November, Sally executives noted the company had a number of information security defenses in place. “We have physical, technical and procedural safeguards in place that are designed to protect information and protect against security and data breaches as well as fraudulent transactions and other activities,” it said. “Despite these safeguards and our other security processes and protections, we have been a victim of cyber-attacks and data security breaches, including a breach that resulted in the unauthorized installation of malware on our information technology systems that may have illegally accessed and removed a portion of payment card data for certain transactions.”

Tripwire senior security analyst Ken Westin says there are steps all retailers need to take, not just ones that have suffered a Point-Of-Sale malware attacks. These steps will allow retailers to safeguard themselves against online attacks, as well as to rapidly detect unfolding breaches. Those include keeping a close eye on all data regulated by the Payment Card Industry Data Security Standard. “Both the intrusion and the malware components can be better detected by taking a layered security approach, monitoring endpoints and the network itself closely for anomalies and indicators of compromise specific to retail breaches,” he says. “These include configuration changes, unauthorized processes and credit card data appearing on the file systems, RAM or anywhere outside the PCI environment.”

 

Home Depot, Another Careless Retailer

1024px-TheHomeDepot.svgIts has become the largest POS hack in history. And the result is 56 million credit and debit cards have been compromised. And it seems this may have been completely preventable.

First things first, if you have been to Home Depot in the last six months then you could be vulnerable. You need to either change your PIN or just demand new cards. Call your bank and don’t take no for an answer. If they give you any back talk take your business elsewhere.

The breach became known in September. Home Depot said in a statement: “Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks.”  The attack was focused on the self-service checkouts in Home Depot stores.

But was this a new and unknown malware? Maybe not. According to Computer Business Review the malware was the same stuff used to attack Target Stores. 

But if reports are correct this did not have to happen. According  to the New York Times and former employees Home Depot simply ignored its own security experts who warned the company that they were prime targets for hackers as early as 2008. 

Long before this massive breach became known Home Depot poorly managed the security of its IT systems.  According to former members of the company’s cyber security team who requested anonymity the company was slow to respond to early threats and only belatedly took action.

According to the New York Times report Home Depot used outdated software to protect its network and did not regularly scan systems that handled customer information. People who have worked in Home Depot’s security group recently said management failed to take such threats seriously. According to sources managers relied on outdated Symantec antivirus software from 2007.  Home Depot also failed to regularly monitor their network for unusual behavior such as an unknown server communicating with its checkout registers.

Some members of the Home Depot security team left the company because of the lack of management action on the matter.  Others members questioned how Home Depot could have met industry standards for protecting customer data. The situation was so bad that one of the security experts even warned friends to avoid using credit cards and pay with cash at the company’s stores.

But it gets worse! In 2012, Home Depot hired Ricky Joe Mitchell, a security engineer to help manage security at its 2,200 stores. He was quickly promoted to a position where he was in charge of security systems for Home Depot’s stores. But just recently Mitchell was convicted of disabling the computers of his former employer and sentenced to four years in prison. 

Several of Home Depot’s former employees were not surprised the company had been hacked. According to them they warned the company and sought to correct the situation. They said that when they asked for new software and training, management responded with; “We sell hammers.”

Breaking it down

If you think for a minute that this is unique in the retail industry you would be wrong. If you think for a minute that retailers care about real security and protecting you. You would be wrong again. Retailers are sloppy. They don’t care about you. What you have just read is fairly indicative of the issues that are plaguing the retail payment system. The industry is full of managers who are either unaware or don’t understand what is happening. So when those that do see the writing on the wall speak up they answer. “We sell hammers.” What they should be saying is, “We have hammers for brains!”

And the upper levels of management are looking at the bottom line and seeing that it is still cheaper to pay off claims rather than employ effective security. I have a funny feeling that Home Depot is about to learn a lesson here. 

Until we have a serious re-thinking of the way we secure our payment systems we are going to keep seeing this happen. New cards, new ways to pay including Apple Pay is what is needed to fully secure our money. And did I forget some more effective federal laws and standards to protect the consumer. Its a sad fact that we are wide open to these attacks because industry and government refuse to act. They like things just the way they are. Industry enjoys the protection of the courts who have ruled that unless you can prove actual damages the retail customer can’t sue the retailer who lost the data. They are saying, your data was compromised…and…

The U.S. government is willfully ignorant and reluctant to deal with this growing problem. I believe these data breaches threaten our economic future. Both in the areas of wealth, data and technology loss. We need to do something or we can just kiss it all goodbye.

MURDER! Apple Pay Kills the Credit Card!

Apple PayApple announced yesterday it was introducing a new mobile payment system. Known as Apple Pay the system will allow the consumer to make purchases by simply waving their iPhone in front of a POS receiver or just tapping the screen.

Apple Pay works with Apple’s Passbook app. The app allows users to digitally store coupons, tickets and merchant loyalty cards. iPhone users can use a stored credit card inside the app. Customers simply wave their phone in front of a terminal to pay.  The technology that delivers the payment is called near-field communication, or N.F.C., via a chip embedded in Apple’s new iPhones.

Technogeeks have been predicting this move for years and Apple seems to have made those predictions come true. Apple announced that it was working with big retailers like Target and restaurants like McDonald’s and the the big credit card companies. The result will be that consumers will be able to purchase a burger, a box of dryer sheets or a riding lawn mower with greater security. Consumers can use the system with the new Apple smartwatch or iPhone 6 to make the purchase.

Apple Pay gives Apple the competitive edge in mobile payments. Forrester Research, a technology analysis firm, expects the mobile payments market to reach $100 billion in the U.S over the next five years. But the question remains; will the consumer accept this new device to use on an everyday basis? And of course if they do will Apple be able to hold significant market share?

Apple’s innovation is slightly different from previous efforts at mobile payments. But Apple has to convince the consumer of the security of this new system. This includes ensuring the user that credit card information will not be stored on the iPhone or other devices or on Apple’s servers. Basically the consumer has to believe that the new system is safer than a credit card.  “We’re totally reliant on the exposed numbers and the outdated and vulnerable mag stripe,” said Timothy D. Cook, Apple’s chief executive at yesterday’s announcement event in Cupertino, Calif. “Which all of us know aren’t so secure.”

Tom Pageler, the chief information security officer at DocuSign, a company that manages digital transactions, agreed that Apple’s payment system appeared to be more secure than the current system. Pageler said another benefit of the N.F.C. technology is that payment companies could more easily identify a purchase made outside a customer’s usual location.

Apple Pay could create a revolutionary shift for the mobile payment systems. Companies like Google, Amazon and Microsoft  will be forced to play against Apple and agree to cut deals with retailers and credit card companies. This would make mobile payments more widespread.

Apple’s announcement was well timed. U.S. retailers are facing a near mandate that they migrate from the current magnetic strip cards to the more secure PIN and chip card by the end of next year. This PIN and Chip system has become the defacto standard in Europe and is much more secure than U.S. cards.  But American retailers have been reisistant to switching simply because they do not want to pay for the new system hardware and installation.   Apple’s new system, if it finds wide spread aceptance, could make the change much more appealing.

According to Cook Apple Pay would only be available on its new smartphones, the iPhone 6 and the larger iPhone 6 Plus, and the new Apple Watch that will reach the market in 2015.

Breaking It Down

Too many people fell for Apple’s “Me Too & Done It Again” show. Yeah, Apple has a new iPhone; so what? Yeah they have a new computer watch. Been there; done that. Among all the hoopla and fanfare Apple murdered the credit card in front of thousands of witnesses.

America has become the favorite patsy of the hacker community because our payment security systems are a joke. A bad, costly joke. Our retailers refused to do anything about it and the government failed us. The credit card is dead and thank you Apple.

The key to what Apple is doing is the fact that Target and the three major credit card companies are on board. That is all you need. These credit card companies and retailers realize that the legal system and legislators are under strain and that sooner or later the dam will break and the law and lawsuits will turn against them. This scares the hell out of them.

For retailers, like Target, the impact of the last data breach was unacceptable. Another breach could destroy them. They know a new payment system is desperately needed and Apple has delivered. Every major retailer in the country is meeting to discus this new payment system and wiping the sweat from their brows. Apple just turned the heat down.

Retailers were fighting the new PIN and Chip system but were being forced to adopt it. They understood the need but fought against the price. But Apple has jumped over any credit card design. The new mobile payment system will secure the purchase process from end to end and this is what the consumer and the retailer demands. It’s the revolution we have all been waiting for. We have suffered too many data breaches, credit card fraud and retail POS hacks to keep doing things the old way. It just became too much.

For black people we can feel, like most Americans, that relief is within site. We can stop feeling so nervous about using our credit or debit cards at stores. We will soon say goodbye to those sliding card POS systems and losing sleep afraid to wake up to a new data breach. Could those days be behind us? It seems so.

Americans should rejoice at the this new way of paying for things. Apple has a history and mandate to innovate and they have delivered again.  The credit card is dead and somewhere in heaven Steve Jobs is smiling.