http://securityratty.com/tag/canton Sat, 26 Apr 2008 17:01:56 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/6a6e2e458675a57e767b333a17041140 http://securityratty.com/article/6a6e2e458675a57e767b333a17041140 Security Breach

Date Reported:
4/24/08

Organization:
WiseBuys Stores, Inc.

Contractor/Consultant/Branch:
WiseBuys of Canton

WiseBuys Plaza, 5533 US Highway 11, Canton, NY 13617, 315.379.0456

Victims:
Customers

Number Affected:
"hundreds"

Types of Data:
"credit and debit card numbers"

Breach Description:
"Hundreds of credit and debit card numbers were stolen in December at the Canton Wisebuys store, according to Canton Village Police."

Reference URL:
Watertown Daily News
WWTI Channel 50 News
TWEAN News Channel of Syracuse

Report Credit:
WWTI Channel 50 News

Response:
From the online sources cited above:

CANTON — Police are investigating hundreds of reports of thefts of credit and debit card numbers belonging to customers who shopped at WiseBuys department store in December.

"We have had hundreds of victims and thousands of thefts. We have had amounts as high as $3,000 and as low as $10," said Sgt. Lori A. McDougal of the village police department. "I would say at this point they total upwards of $100,000."

Victims are all believed to have shopped at the Canton WiseBuys store between Dec. 5 and 20

Since then, stolen credit card numbers have been used to create fake cards in New York City.

The fraudulent cards were used to pay for taxi rides, to buy food at a Wendy's Restaurant and to make purchases at New York City drug stores and other locations.

"We had the New York City police call us about one of our cards that was picked up in a sting," said Scott A. Wilson, president and chief executive officer of SeaComm Federal Credit Union, which has a branch in Canton.

Complaints about the thefts began to come in early in March as victims received their monthly bank and credit card statements

"At this point we are not sure how the numbers were obtained. It may be an employee or it may be somebody who hacked into their system," Ms. McDougal said.

Hannaford Bros., which operates supermarkets in the Northeast including stores in Watertown and Massena, reported the theft of up to 4.2 million credit and debit card numbers from 300 of its stores in March.
[Evan] I think Watertown, NY is ~60 miles from Canton, and Massena is ~30 miles away.

It is unknown if there is any similarity between the Hannaford thefts and the WiseBuys thefts.
[Evan] I certainly don't know enough to speculate (but I will later ).

"We have people working on it," said Norman V. Garrelts, chief executive officer of Hacketts, which took over operation of WiseBuys after a November merger.

"We had no inkling it was going on. The police notified us," he said. "How anybody could have hacked into the system, I am not a big enough geek to know. It happened over a day or two."
[Evan] I think there are many organizations that have "no inkling".  CEOs like Mr. Garrelts don't need to be "a big enough geek" to know how the companies they run are managing information security.  CEOs are the ones that are ultimately responsible.  Information security should be governed in such a way that it has visibility with the CEO.  Information security is an organizational issue, NOT an IT (or geek) issue.

"We have rechecked all of our safeguards and everything seems to be in order," Mr. Garrelts said. "It should not have been able to happen."
[Evan] This incident is proof of the contrary.  I agree that it should not have been able to happen, but it DID happen.  The question is what is the "it"?

The Canton store was the only one in the WiseBuys and Hacketts chain that was affected by the number thefts. The stores use the credit card processing system used by nearly every True Value hardware store in the nation, Mr. Garrelts said.

WiseBuys changed its computer system in December and investigators are attempting to determine whether that was when the numbers were stolen

Village police have begun interviewing about 30 WiseBuys employees but so far have not identified any as suspects.

District Attorney Nicole M. Duvé, who learned of the thefts Thursday, said she takes the thefts seriously.

"This is starting to eat up a lot of law enforcement time and a lot of our time. I intend to take a very dim view of anybody caught doing it," she said.
[Evan] I wonder what the ultimate cost of incidents like this really is.  Law enforcement time, employee time, bank and credit issuer time, victim time, actual fraud dollar amounts, prosecutorial time, etc. etc.  It all ends up, and somebody has to pay for it all, right?

Debit and credit card issuers believed to have been affected by the thefts to date include Community Bank N.A., SeaComm Federal Credit Union, Key Bank, Discover Card, Capital One and NBT Bank, Ms. McDougal said.

"As far as I know, all of the banks have been cooperating with their customers and all have been reimbursed by their banks or credit card companies," she said.

"We have a zero loss policy," said Mr. Wilson, of SeaComm Federal in Massena. Under the policy, the credit union absorbs any losses caused by fraud.

In all, 42 credit union members were among those whose numbers were stolen. All were issued new numbers and cards.

Commentary:
I don't get a good feeling about this one.  Too many unanswered questions.  Nobody seems to know very much.  There has been no official public response by WiseBuys.

NOT FACT, only speculation:
I like to speculate, so what the heck I'll throw something out there.  I'm going to say that full magnetic stripe data was captured during data transmission and that this is not an inside job.  I am also going to say that this was not related to the Hannaford breach.  I didn't exactly go out on a limb with my speculation, but I did speculate nonetheless.

Past Breaches:
Unknown

]]> Sat, 26 Apr 2008 17:01:56 +0000 credit card credit wisebuys credit union credit union absorbs credit issuer time canton wisebuys store report credit credit card companies Hundreds of WiseBuys customers are victims of credit card fraud