A Little Catching up

August 20th, 2009

Catching back up on the news….

Multiple Radison Hotels Hacked – Not a lot of details on how the breach occurred or how many properties are impacted.

La Parrilla Mexican Restaurant Potentially Hacked

Albert Gonzalez indicted on charges of hacking Heartland and Hannaford (News , Court Doc pdf ). This is of course in addition to the other indictments charging him on hacking into TJX (TJ Maxx), DSW, Office Max,  Boston Market, Barnes & Noble, Sports Authority, and Forever 21 (Court Doc pdf)

An Open Letter to Robert Carr, CEO of Heartland Payment Systems

Network Solutions E-Commerce Hacked – 4,343 customers (businesses) and 573,928 credit cards impacted.

Tags: , , , ,
Posted in cyber-crime, data breaches | No Comments »

Wave of Reissuing in the Wake of Heartland

January 25th, 2009

Starting just days before the Heartland Payment Systems breach was announced, there has been a large increase in banks reporting the reissuance of their card portfolios.

01/24/2009 – Idaho Banks Reissue Cards After Security Breach
01/24/2009 – Several NH banks hit by credit card data breach
01/23/2009 – South Central Credit Union of Jackson instantly shut down cards
01/23/2009 – Security breach may require new credit, debit cards (Nebraska)
01/23/2009 - Heartland Bank, BofA reissue cards after breach
01/23/2009 – National credit card breach affects thousands locally (Indiana)
01/17/2009 – Bank hears of data breach (Maine)

Tags: ,
Posted in cyber-crime, data breaches | No Comments »

Wyndham’s Confidential Public Disclosure

January 25th, 2009

Wyndham Hotels notified the Maine Attorney General on October 8, 2008 of a data security incident involving information held by Wyndham Hotels and Resorts, LLC. In mid-September an administrator detected unusual activity in their phoenix, AZ data-center. Apparently the attacker was able to break into one of the franchise locations and create a file containing Wyndham customers cardholder data. Wyndham notified affected franchised hotels, which likely means multiple hotels were affected. The beginning of the notification letter to the Maine Attorney General is almost to hilarious to be true:

At the outset, we would like to request confidential treatment for this letter and all future written and verbal correspondence related to this matter. In particular, we request that the information contained in this letter be exempt from disclosure as “information describing… [the] security of information technology infrastructure and systems.” ME. REV. STAT. ANN. tit. 1, § 402(3)(m).

I want to shake the hand of Steven Rowe, the Attorney General in Maine, for not giving in to this invalid request to maintain the secrecy of this data breach. In a second letter, sent to the New Hampshire Attorney General, Wyndham writes that their “investigation is substantially complete.” Oddly they say that notification to consumers in the state of New Hampshire is appropriate, as Track 2 credit card data may have been compromised.  Generally Track 1 contains the name of the credit card holder which is what mandates notification. Track 2 contains the data such as CVV which allows counterfeit carding.

It’s amazing that the world’s largest lodging franchiser can be hacked and manage to have it go unmentioned by the media.

Tags: ,
Posted in cyber-crime, data breaches | No Comments »

HPS Turning **** Into Gold

January 25th, 2009

Heartland Payment systems has released a nice little piece of fluff in response to the data breach that was announce earlier this week.  The press release claims that HPS has boarded 400 new merchants since the incident, but they also elegantly fail to mention how many they have lost. HPS believes that because of their “fair dealings, transparency and merchant advocacy” impact of this breach to their brand is limited. There appears to be very little fair dealings and transparency in reality.

HPS managed to publicly announce the incident on the same day as the presidential inauguration. Either the hacker or HPS has impecable timing.  Also, Robert Baldwin, the CFO of HPS, stated in a washington post interview that it wouldn’t be appropriate for HPS to offer credit or identify theft protection to the potentially millions of cardholder that may be affected from this breach. None of this sounds like fair dealings or like they are taking proper responsibility for the breach.

The new press release speaks of more information sharing on these breaches so that other companies will not fall victim to the same attacks and possible changes to the industry, such as end-to-end encryption.  Personally I can’t wait to hear HPS release more information about the breach to help other companies secure their payment systems. The only detail that has come out was that malware captured data in transit through the payment network. Hopefully most companies know to install anti-virus software on their systems, which would likely prevent this. What the articles don’t mention yet is how did the attackers got access to install the malware in the first place?  This is key information that the industry would need to know to help prevent this issue from occurring again, and I look forward to hearing more of the details if they choose to follow their own advice.

Robert Carr, CEO of HPS talked of looking into new technology to secure the payment system such as end-to-end encryption. This is really the only useful tidbit from the press release. While Europe, Canada, and Mexico are already long on their was towards EMV / Chip and PIN, the US is still for some reason reluctant to except the standard. Even Carr after experiencing this breach won’t give EMV the though that is deserves.   While end-to-end encryption would reduce fraud, it doesn’t stop the problem. It still leaves the individual point of sale systems vulnerable to tampering and attacks against the data before it gets encrypted. The payment industry needs to adopt as a whole a single set of standards that will secure the CVV, CVV2/CVC2/CID and provide an encrypted channel for the transaction to be performed over.

Tags: , ,
Posted in cyber-crime, data breaches | No Comments »

Heartland Payment Systems Breach

January 20th, 2009

Heartland Payment systems,  the sixth largest credit card payment processor in the US, has disclosed that they “found evidence of an intrusion last week” that may have exposed credit card data.

While they don’t say exactly what data is at risk, they clearly state that Social Security numbers, unencrypted PIN (PIN), address or telephone numbers and Heartland’s check management systems, Canadian, payroll, campus solutions or micropayments operations; give something Back Network,  or the Chockstone processing platforms  were not involved in the breach.

Heartland has set up a website www.2008breach.com to provide information about the incident.

Update: The Washington Post has an article with some interesting details on the incident and Heartland.  According to this article, Heartland processes transactions for over 250,000 merchants, 40% of the transaction being from small to mid-sized restaurants around the country. Heartland has contacted the US Secret Service as well as hired two forensic companies.

Malicious software was found in the environment that would capture magnetic stripe track data as it passed through the network.  While the amount of data that has been stolen is currently not known, Robert Baldwin, the President and CFO, mentioned that about 100 million transaction a month pass through their system.

Tags: , ,
Posted in cyber-crime, data breaches | No Comments »

Suspected TJX Carder Gets Unrelated 30 year Sentence

January 11th, 2009

Maksym Yastremskiy (AKA Maksik),  a suspect  in credit card data breaches  including TJX, OfficeMax, Barnes & Noble, Forever 21, DSW, Boston Market, Sports Authority, and Marshall’s, was sentenced to 30 years in prison for unrelated charges.  Yastremskiy was found guilty of hacking into the computer systems of 12 Turkish banks.

In August Yastremskiy was one of the 11 charged with suspected involvement in 9 major retail breaches.  US authorities filed for extradition of Yastremskiy, but he ended up standing trial in Turkey over theses separate offenses. Yastremskiy is believed to have earned more than $11 million from his illicit activities.

With recent breaches including RBS Worldpay and Wydham Hotel Group it doesn’t look like credit card cyber-crime has missed a heartbeat.

Tags: , , , , , ,
Posted in cyber-crime, data breaches | No Comments »

ITRC 2008 Breaches

January 6th, 2009

The Identity Theft Resource Center has released their 2008 year end results showing an increase in reported data breaches to 656 breaches from the previous years 446.  The 47% increase in reported breaches show the persistent issues that have affected the personal data of millions of people.

Accidental exposures and data on the move incidents, such as lost or stolen laptops, devices and storage media accounted for the largest portion (35%) of incidents and 70% of records, while hacks were responsible for a mere 91 (14%) and only accounted for 19% of the exposed records.  There are two important pieces of information missing from the ITRC year end results that dilute the real picture of the information security issues plaguing our personal information.

The publicly reported statistics on breaches show only the uncut potential of an incident.  For example,  the potential risk to 1,000 credit card, SSN, or any PII on a lost or stolen laptop is the same as the potential on a 1,000 equivalent records exfiltrated during a hack. This is the exact data provided to the public and available through sites such as the ITRC, datalossdb, and databreaches.net. What is not evident from these disclosures is the true likelihood or realized fraud associated with these breaches. The chance of a stolen laptop ending up in the hands of someone who knows what data they have and has the knowledge or resources to use it is much less likely then when the data ends up in the hands of someone who has intentionally hacked into or released specific malware targeted towards these records.

The other reason why these statistics can not be taken completely at face value is the information is only based on reported breaches. A steady increase in laws requiring the disclosure of breaches have likely created an increase in the amount of disclosed breaches inflating the percentages of reported incidents over time. On the other hand, breaches only need to be disclosed if certain state and data type requirements are met , such as the data including names or SSN.  Many breaches that involve data outside of state requirements or that only involve credit card numbers may not require disclosure. Of the incidents contained in the ITRC report, 42% did not include the number of records exposed. These two issues leave us with potentially inflated reports of increased breaches while at the same time only providing lower bounds of the actual number of breaches and records exposed for the year.

An area of real concern is the increase in insider attacks. We can only assume the current economic state may have contributed to this increase, but the number of reported incidents has rocketed more than two-fold to 15.7% from the previous year. Insiders tend to have access to large data sets of PII due to their job roles and even knowledge or administrative rights over controls in place to protect this data. This is a clear indicator to companies that limited access and dual controls are necessary to avoid these massive blunders.

The effort that has been taken by many individuals and company over recent years to aggregate and provide this information has truly been a blessing, providing to the public a once hidden abstract issue that has persisted with personal information scattered throughout organizations.  We can only hope and push for future transparency in disclosures of personal information breaches as we continue into 2009.

Tags: , ,
Posted in data breaches | No Comments »

First Post

January 2nd, 2009

Reform is affirmative, conservatism negative; conservatism goes for comfort, reform for truth

– Ralph Waldo Emerson

Posted in general | No Comments »