[SecurityRatty] tag: mastercard

Some firms don't admit security breaches - Geez, ya really think so?

Sun, 29 Jun 2008 12:51:24 +0000

It's not often that security issues make mainstream media outlets. So when I saw this article on cbsnews.com I wanted to see what kind of "investigative journalism" the same folks who do 60 minutes would bring to the story. The story takes the particular case of Direct Marketing Services, Inc, the parent company of Montgomery Ward. It does a good job documenting the breach, the discovery of the breach and how the company complied with credit card company rules by notifying Visa, Mastercard, Discover, etc. but did not notify the 51,000 potentially affected customers. It also does a nice job of giving credit to Affinion Group Inc.'s CardCops for spotting and discovering this theft.

The article than goes on to say that 44 states have passed statues making disclosure and notification of security and confidential breaches to affected consumers mandatory. The article does caution though that based upon the volume of data being sold in "online black markets", there are many more breaches than we are being told about. I think it good that CBS bangs the drums on this, but frankly that "evidence" is a bit flimsy. I also found it gratifying that the article blames the credit card companies themselves for not doing more to publicize these breaches, so that they don't have to issue new cards. Just goes to prove what has been written before, that in the bigger picture the cost of doing business may include the risk of compromised data and big business has determined that that is a risk worth taking.

Montgomery Ward breached, no notification obligation?

Fri, 27 Jun 2008 19:45:03 +0000

Technorati Tag: Security Breach

Date Reported:
6/27/08

Organization:
Direct Marketing Services Inc.

Contractor/Consultant/Branch:
Montgomery Ward
HomeVisions.com
SearsHomeCenter.com
SearsShowPlace.com
SearsRoomForKids.com

Victims:
Customers

Number Affected:
"at least 51,000 records"

Types of Data:
Names, addresses, phone numbers, card numbers, "security codes", and expiration dates

Breach Description:
"NEW YORK (AP) -- The parent company of Montgomery Ward is admitting that it was hit with a credit card hack, but it didn't inform the customers affected."

Reference URL:
The Associated Press
The Associated Press via WZTV Channel 17 News

Report Credit:
The Associated Press

Response:
From the online sources cited above:

At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward.

The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy.

Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December.

By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.
[Evan] The AP story names five of the six Direct Marketing Services retail properties (See Above). I don't know what the sixth is.

It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com

Milgrom said Direct Marketing Services immediately informed its payment processor and Visa and MasterCard.

Direct Marketing Services closely followed a set of guidelines, issued by Visa, on how to respond to a security breach.
[Evan] This is sad. The Visa documentation regarding breach response is way too narrowly focused to be used as an organizational incident response. Every organization that creates, collects, uses, stores, and/or transfers confidential information should have an incident response policy and accompanying procedures. Take a look at the Visa "What To Do if Compromised" procedures, and judge for yourself.

That included a report to the U.S. Secret Service.

He said he believed by the end of December that Direct Marketing Services had met its obligations.
[Evan] Mr. Milgrom is the president of the company. He really thought that his company had met all of its obligations with respect to this breach? It never occurred to him that he should notify customers, even if he weren't required to by law? Not only was the lack of notification illegal, but I think it is also unethical.

However, those guidelines from Visa are largely technical, and they do not cover a key additional step: that notification laws in nearly every state generally require organizations that have been hacked to come clean to the affected consumers, not just to the financial industry.

Companies that fail to comply can be hit with fines or be sued by affected customers, depending on the state

After being asked about those laws by The Associated Press, Milgrom said Direct Marketing Services now plans to contact consumers.

This hack might have stayed quiet except for online chatter detected in June by Affinion Group Inc.'s CardCops, a group of investigators who track payment-card theft for financial institutions.

In Internet chat rooms frequented by card thieves, CardCops spotted hackers touting the sale of 200,000 payment cards belonging to one merchant.

CardCops then intercepted several hundred of the records, along with the online handles belonging to hackers whose real names remain unknown.

Along with the card numbers, their three-digit "security codes" and expiration dates, the thieves had the cardholders' names, addresses and phone numbers.

The data had been organized in the same way, indicating the numbers likely came from the same database.

CardCops' president, Dan Clements, also noticed that the vast majority of the cardholders were women, a clue that the records came from a merchant catering to a certain demographic.

When he began calling them, the first eight said they had bought things online or through mail order from Montgomery Ward. At that point, Clements realized, "there's a high probability the entire database of Montgomery Ward was breached."
[Evan] This is some good investigative work.

It is not clear to Clements, though, whether the hackers were inflating their claim when they offered 200,000 records or whether Milgrom's number of 51,000 is accurate.
[Evan] According to the article, the "hackers" were able to compromise the information from all six Direct Marketing Services, Inc. properties. 51,000 may be Montgomery Wards customer accounts, and the remainder could be from the other five properties (just speculating).

A spokeswoman for Discover Financial Services LLC, Mai Lee Ua, said her company had addressed the problem by sending new cards to its cardholders who appeared in the compromised records.

Ua said they weren't told which merchant had been breached

Visa declined to comment.
[Evan] Visa always declines to comment. No sense in even seeking one.

MasterCard issued a statement Friday acknowledging it was aware of the breach at Direct Marketing Services, and had notified the banks that issue MasterCards, telling them to monitor the accounts for suspicious charges.
[Evan] Three different card companies, three entirely different responses. Of the three, I think I like the Discover one the best.

Such silence was the norm in the industry for years. But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked

Clements and other security analysts say that despite those laws, many breaches still are kept quiet, judging by the data being hawked in online black markets.

Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.
[Evan] I absolutely agree. You would be naïve to think that victim notifications go out in all breaches. Too many corporate leaders would rather not notify and hope that nobody notices.

Litan says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in "card not present" transactions over the Web and mail order.

Until fraud actually appears on the card, they'd rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.

"What it reveals is the convoluted banking system," she said. "If this had taken place at a grocery store, we all would have heard about it."

In fact, because of the silence that still sometimes follows data breaches, even people who have never been informed one of their records has leaked should assume their information is floating online, Litan said.

"Probably every one of our cards is up there somewhere now," she said.
[Evan] I agree with all of the statements made by Avivah Litan except this one. This is a stretch.

On the Net:
Links to the 44 state notification laws

Commentary:
Is this a case of a company that was caught trying to cover up a breach, or was this a company that didn't know any better? I lean towards the former. Either way, is ignorance of the law any kind of valid excuse?

Let's assume for a second that company really didn't know that they were required to notify victims. If this were true, then this leads me to believe that the company doesn't govern information security well (due care?), probably has no formal information security program, lacks incident response policy and procedures, and doesn't manage risk well.

I could only guess how the "hack" took place. What vulnerability was exploited? Even in this, the company appears to have not detected the attack. Direct Marketing Services, Inc. had to be told of it by Citibank. Does this mean that the company did not use intrusion detection/prevention?

I could go on and on, but in the end I don't have much confidence here.

Past Breaches:
Unknown

Altman Weil online store compromised

Mon, 16 Jun 2008 11:27:28 +0000

Technorati Tag: Security Breach

Date Reported:
5/27/08

Organization:
Altman Weil, Inc.

Contractor/Consultant/Branch:
Unnamed web hosting vendor

Victims:
Customers

Number Affected:
Unknown*

*21 Maryland residents were affected

Types of Data:
"credit card information"

Breach Description:
On May 16, 2008, Altman Weil was notified by the company that hosts their on-line web store that credit card information belonging to Altman Weil customers was compromised through a "SQL virus" attack.

Reference URL:
Maryland State Attorney General breach notification

Report Credit:
The Maryland State Attorney General

Response:
From the online source cited above:

On May 16, 2008, we were advised by the company that hosts our On-line Store website that an external virus (known as the SQL virus) access their server and may have attacked the credit card information of certain Altman Weil customers.
[Evan] What is "the SQL virus"? Is this referring to an attack like that in this story "Huge Web hack attack infects 500,000 pages", an attack like the Slammer worm (some would argue that this is the true "SQL virus") or just poor coding that led to a simple SQL injection attack?

Upon learning of this unauthorized breach and attack, on that same day, Altman Weil immediately authorized the hosting company to shut the site down so that access is no longer possible.

We were told by the hosting company that the server on which the On-line Store resider was password protected and had current firewalls and security protection, by we understand that the SQL virus may nonetheless have accessed credit card information
[Evan] I doubt that the password protection or "current firewalls and security protection" would have had much effect against poor coding or missing patches. The term "current firewalls and security protection" is pretty subjective, so I can only speculate.

We are actively investigating this attack and are also addressing this incident to fully determine the extent to which credit card information of our customers may have been accessed.

We are looking for any help that your office or other state and/or federal agencies might be able to provide in assisting us to identify and pursue those responsible for this attack.
[Evan] This is an interesting request. I think this is the first time that I have read where a company asks for assistance from the Attorney General.

Here are the steps we have taken to date, we:

On May 16, 2008, notified the Merchant Bank, Bryn Mawr Trust of the potential security breach
On May 16, 2008, learned that Bryn Mawr Trust outsources the actual credit card functions of the Merchant Bank to TransFirst.
On May 16, 2008, contacted TransFirst and notified it of the potential security breach and was informed that it would notify the three credit card companies, Visa, MasterCard and American Express.
On May 16, 2008, Altman Weil independently notified Visa, MasterCard, and American Express of the potential security breach.
On Saturday, May 24, 2008, notified all card holders whose cards were current (i.e. the expiration dates had not kicked in yet) by telephone calls placed.
Notified all card holders by letter of the situation and the possible risk
Notified the following law enforcement agencies:

Local police department located in Newton Square, Pennsylvania, where Altman Weil is located on May 23, 2008.
Secret Service's ECTF and Electronic Crimes Working Group on May 24, 2008.
Every state Attorney General in the states where potentially affected cardholders reside on May 27, 2008.
Federal Trade Commission on May 27, 2008.
Office of Thrift Supervision on May 27, 2008.
Office of the Comptroller of the Currency on May 27, 2008.
Federal Deposit Insurance Corporation on May 27, 2008.
Board of Governors of the Federal Reserve System on May 27, 2008

Assured that the hosting company has preserved logs and electronic evidence, has logged all actions taken, and has not altered or compromised the systems.
Retained forensic auditors at are [sic] own expense to undertake a thorough technical investigation of the cause and extent of the breach.
Committed to be back in touch with those customers who might be at risk with further information, once we have it.

[Evan] Whether I agree with the steps taken or not, I do appreciate the candid response. Without being close to the incident, it seems like Altman Weil did a good job. I presume from the structure that Altman Weil either has incident response procedures or they received good advice.

For more information contact Joann Miller, at Altman Weil, Inc. at 610-886-2006, or via email at: jamiller@altmanweil.com

Commentary:
This is an interesting breach although we are not really clear of the details due to the terminology used in the notification.

Past Breaches:
Unknown

PayPal Plug-In: Secure one-time credit card payments at any site

Fri, 13 Jun 2008 06:39:06 +0000

I use PayPal whenever possible, securing my access with a password and a VIP token. But many sites I visit don't accept PayPal. Now, that's not a problem. I can enjoy the relative safety of a PayPal transaction on any site that takes MasterCard.

1st Source Bank reissues all debit cards in response to breach

Thu, 05 Jun 2008 05:09:56 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
1st Source Bank

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Debit card information including Track 2 data contained on magnetic stripes and some PIN numbers

Breach Description:
"South Bend, Ind.-based 1st Source Bank is reissuing its entire portfolio of debit cards after a hacker or hackers broke into a bank server containing debit card data. No fraud has been discovered as a result of the intrusion"

Reference URL:
Digital Transactions News
WSBT TV News
South Bend Tribune
The Journal Gazette

Report Credit:
WSBT TV News

Response:
From the online sources cited above:

South Bend, Ind.-based 1st Source Bank is reissuing its entire portfolio of debit cards after a hacker or hackers broke into a bank server containing debit card data.
[Evan] I wonder how many debit cards are in its "entire portfolio". I'm guessing that the number is in the tens of thousands.

a hacker broke into the system from the outside and compromised the system.

No fraud has been discovered as a result of the intrusion

The $4.5-billion-asset bank with 79 branches in northern Indiana and southern Michigan began alerting customers last month after an outside monitoring service it uses noticed on May 12 an unusual flow of data from a bank server containing debit card data, says James Seitz, senior vice president of consumer and electronic banking. "We immediately saw that and shut it down," says Seitz.
[Evan] It appears as though the bank employs a managed security services provider for intrusion detection monitoring and alerting (and possibly more). Using a third-party provider as a part of information security strategy is probably a good idea for organizations that do not have, cannot afford, or do not want to build in-house expertise. Managing third-party service agreements can sometimes be quite a challenge.

The bank notified law-enforcement authorities and hired outside forensic firms to analyze the breach.

"The server that holds our debit card information they were in there and they transferred information out. But we can't really tell if it was 10, 20, or 30 percent of our card holders," said Seitz.

They did, however, get Track 2 data contained on magnetic stripes, including account numbers, according to Seitz, as well as PINs in at least some cases. "They got some PIN numbers, but a very small percentage compared to the debit card base that we have," says Seitz.

Exactly how the hackers tapped the server isn’t publicly known.
[Evan] This will be determined as part of the forensic investigation, but publicly this may never be known. We can only speculate. The information that was compromised is very sensitive and should have never been accessible from the "outside". Who knows if the server was actually compromised directly or through another avenue of attack. See, I am speculating. Thankfully, the bank had detective controls in place.

1st Source Bank is sending out letters reminding their customers to check their recent bank account activity.
[Evan] As people should anyway.

"Out of an overabundance of care, we’re reissuing new debit cards to all our customers"
[Evan] We could argue "overabundance".

the bank is reissuing all cards, which are MasterCard-branded, as a precaution

1st Source also is offering customers free credit-report monitoring for a year.

He adds that he couldn’t comment about the state of the bank’s compliance with the Payment Card Industry data-security standard, or PCI.
[Evan] The Visa U.S.A. Cardholder Information Security Program (CISP) "List of Compliant Service Providers - All" is here (a little different, but good information nonetheless).

"We are working with law enforcement to find these bad guys, and we didn't want to tip them off," said James Seitz
[Evan] Chances are that the "bad guys" already know what the have.

"Our number one priority is our customers. We shut everything down right away and hired the best people we could get our hands on to see what happened here and to make sure it doesn't happen again," said Seitz.

1st Source began working with law enforcement and called in a forensic computer specialist team from the Washington, D.C., area to shut down the breach immediately and to help determine who was behind it.
[Evan] 1st Source should be commended for not hesitating to bring in outside help.

It has taken a while to get all the information out about the breach, Seitz said, since the bank had to spend time going through all of its laptops and computer systems.

"You've got to understand what you have," he said.
[Evan] A high-priority task for information security governance is to understand what you have. During an incident response is not a good time to figure out what you have.

Though the breach is something rather new for 1st Source, Seitz said these types of breaches seem to be hitting businesses in general more and more this day and age.

"Certainly, it's never happened to us before," Seitz said. "But it's becoming more prevalent. Daily, banks are going through this."
[Evan] Breaches are as prevalent or more prevalent than they have ever been. I agree with Mr. Seitz. Recognizing this fact, what excuses do organizations have for not investing in and properly managing information security programs? I am not saying that 1st Source does not, I am writing in general terms.

Bank officials have yet to tally the cost of mailings to customers, creating new debit cards, consultants’ fees, paying for identity theft protection and employee overtime related to the security breach. Seitz called it a "considerable cost."

"Actually, our customers have been very understanding," he said. "Obviously, this is something that puts a little stress on that relationship."

Customer Reactions:
"My main worry is that my money is going to be gone tomorrow when I got to my account," said Jeremy Reinke, a 1st Source Bank customer.

"Is my money still in my account, and can they correct this so it doesn't happen again?" asked Chris Stump, another customer who hadn't heard about the May 12 security breach. "I guess in some ways I would have liked to know by now."

Commentary:
Judging from the customer comments I have read, people are concerned about the breach, but not angry with 1st Source Bank. I think this is because they perceive the bank's response to be open and genuine. The bank did employ proper controls to identify this breach early on and provided notice to customers in a timely manner. The fact that the bank took additional steps like re-issuing cards and providing credit monitoring only adds to the favorable perception.

I am still interested in knowing more detail around how an unauthorized outside entity was able to access this sensitive information in the first place.

Past Breaches:
Unknown

Not 'who you gonna run to" but "who you gonna call"?

Fri, 30 May 2008 16:50:26 +0000

You could try ghostbusters, but don't bother calling the PCI council. So says Mike Fratto and Martin McKeay in response to my earlier article about when you have an obligation to go public. Of course I was responding to Martin's earlier post on the TJX employee getting fired. What all three of us agreed on though is that there is no place or person that an employee or any other person frankly can call to report a company that is not in compliance with the PCI.

Mike Fratto says "PCI has no teeth because VISA/Mastercard doesn't want to bite the hands that feed it." Martin says the PCI council has established a way for people to report violations because "that’d make the Council responsible for acting on those reports. And that’s something they really, really don’t want." So are the PCI regs toothless. I wouldn't exactly go that far. I think we have to draw a distinction about having the power to act versus actually exercising that power. Mike is right, so far the PCI council has to exercised the powers they were granted to impose sanctions and penalties. That doesn't mean they won't in the future though. I think they will have to make some "examples" otherwise people are going to begin to ignore the requirements all together.

Without some process to report violations the credit card companies are inviting the government to step in. This is exactly the reason as Mike Fratto points out that they imposed the PCI regs to begin with, that is to keep the government out. Until they do though, I think going public and the court of public opinion may be the only recourse.

Two stolen Saks Incorporated laptops contained sensitive information

Sun, 11 May 2008 17:28:38 +0000

Technorati Tag: Security Breach

Date Reported:
4/30/08

Organization:
Saks Incorporated

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown*

*According to the New Hampshire State Attorney General breach notification there were 163 persons affected who reside in the state of New Hampshire

Types of Data:
Name, address, Saks Fifth Avenue credit card account number, and/or Saks Fifth Avenue/MasterCard co-branded credit card account number.

Breach Description:
"In mid-April 2008, Saks learned that four company laptops were stolen. Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

In mid-April 2008, Saks learned that four company laptops were stolen. Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers.

Based on our investigation, we have confirmed that these files did not include Social Security numbers, the credit cards' expiration dates, pin numbers, codes, or passwords, or any other types of sensitive data.
[Evan] Thank God for that!

Given the very limited type of personal information on these files and that it was stored on password-protected laptops, we believe there is a very low risk of identity theft or credit card fraud as a result of this event.
[Evan] I agree with the limited type of information argument, but could care less about password-protected laptops. Password-protected laptops are little more than nothing to stop someone for accessing the information.

We have no indication that this personal information has been accessed or misused, or even that the laptops are in the hands of someone seeking to misuse the information.

Nor was this a breach of our network, website, or database (as is typical in many company breaches covered by the news).
[Evan] I think laptop thefts and losses are more typical that network, website or database breaches.

The company has drafted a written notice of the breach that it will be sending to the affected individuals imminently.

Saks takes its customers' privacy very seriously, and we have exercised utmost caution and diligence in our response following the discovery of the theft.

Within hours of learning of the theft, we initiated our own investigation into the incident and notified law enforcement.

Finally, if you have additional questions related to this situation, you can contact us between the hours of 9:00 a.m. ET through 6:00 p.m. ET on Monday though Saturday through our dedicated toll-free information helpline at 1-888-724-2455.

We deeply regret any inconvenience or concern that this matter may cause you.

Commentary:
The letter sent to the affected individuals is signed by Stephen I. Sadove, Chairman and Chief Executive Office of Saks Incorporated. I respect Mr. Sadove for addressing this situation in person (so to speak). It demonstrates his understanding that information security is a corporate issue for which he is ultimately responsible.

Past Breaches:
Unknown

Intrusion at Okemo Mountain Resort exposes customers

Tue, 01 Apr 2008 16:44:59 +0000

Technorati Tag: Security Breach

Date Reported:
3/31/08

Organization:
Okemo Mountain Resort

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
46,569

Types of Data:
"credit card data including cardholder names, account numbers and expiration dates"

Breach Description:
"Okemo Mountain Resort said Monday that hackers broke into its computer network and potentially gained access to credit card data from 28,168 transactions between Feb. 7 and Feb. 22 and 18,401 credit cards between January and March 2006."

Reference URL:
Okemo Mountain Resort News Release
Barre-Montpelier Times Argus
BusinessWeek
WTNH Channel 8 News

Report Credit:
Okemo Mountain Resort

Response:
From the online sources cited above:

Okemo Mountain Resort today announced that it has been a recent target of criminal efforts to gain access to credit data by infiltration of its computer network at Okemo Mountain Ski Area.

Okemo believes the intruder gained potential access to credit card data including cardholder names, account numbers and expiration dates.

An expert in data security and forensics hired by Okemo to assist in the investigation and response to the incident has informed Okemo that its computer system was improperly accessed by an outside party for a 16 day period between February 7, 2008 and February 22, 2008.

Affected consumers potentially include those who used their credit cards at Okemo during such dates as well as those who did so from January through March of 2006.

The forensic review determined that the intruder may have accessed credit card data from up to 28,168 credit card transactions processed at Okemo during the 16 day period in February. The actual number of credit cards holders involved in the transactions is likely to be smaller because multiple transactions may have been processed on a single card.

In addition, there may have been access to 18,401 individual credit cards used at Okemo from January through March 2006, many of which are believed to have expired.

Okemo spokeswoman Bonnie MacPherson said Monday the company has not heard of any customers subjected to fraud as a result of the breach.

Upon discovery of this intrusion, Okemo promptly initiated security measures to block the infiltration and protect any personal information transmitted through its system from any further unauthorized access.
[Evan] How do you suppose Okemo discovered this intrusion? Did a customer report unauthorized charges? Was the incident stumbled upon or detected during information security reviews of critical systems?

Okemo has provided notice to Visa, MasterCard and American Express and is cooperating fully with the credit card companies to notify potentially affected cardholders.

Okemo does not have sufficient information to directly contact cardholders.

Okemo has been informed that the banks, which issued the credit cards, will be provided with information necessary to notify their cardholders.

Okemo has also notified law enforcement and is providing notice to State Attorneys General and appropriate regulatory agencies.

Okemo will continue to carefully monitor the security of its systems moving forward.
[Evan] Okemo (and all organizations) should "carefully monitor the security of its systems" continually. This "should" go without saying. Especially systems that are used in the collection, creation, storage, or transmission of confidential information.

Okemo has been advised by Federal law enforcement officials that the matter is currently under investigation.

Okemo will provide updates on this incident on its website: www.okemo.com. For further information or assistance, cardholders are encouraged to call the following Toll Free Number, 1-866-756-5366. Okemo can also be contacted at Okemo Mountain Resort, 77 Okemo Ridge Road, Ludlow, VT 05149.

"As a result of this, we've increased the firewall capability and added some software and taken some additional precautions," she said. (Okemo spokeswoman Bonnie MacPherson)
[Evan] Huh?

Commentary:
I appreciate Okemo's news release. Some of the things that I didn't notice were an apology to the affected consumers, any words from Okemo leadership or any details about how this breach occurred.

Intrusions are coming in bunches lately.

Past Breaches:
Unknown

Intrusion at Stedmans.com exposes credit card information

Sat, 22 Mar 2008 21:37:57 +0000

Technorati Tag: Security Breach

Date Reported:
3/10/08

Organization:
Wolters Kluwer

Contractor/Consultant/Branch:
Lippincott Williams & Wilkins
Stedman's
Bixler Incorporated

Victims:
Customers who made online purchases from Stedman's between August 30th, 2007 and February 27th, 2008

Number Affected:
Unknown*

*There were 25 New Hampshire residents affected. The total number affected is expected to be much larger.

Types of Data:
Names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers.

Breach Description:
"On February 27, 2008, Lippincott Williams & Wilkins, a Wolters Kluwer business was informed by the company that hosts one of our websites, www.stedmans.com, that personal information collected from consumers through the website may have been compromised through an unauthorized intrusion into the server that stores information from individuals who purchased products at our website."

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

On February 27, 2008, Lippincott Williams & Wilkins, a Wolters Kluwer business was informed by the company that hosts one of our websites, www.stedmans.com, that personal information collected from consumers through the website may have been compromised through an unauthorized intrusion into the server that stores information from individuals who purchased products at our website.
[Evan] The company that hosts stedmans.com is Bixler Incorporated.

The personal information that may have been comprised may include names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers of individuals who made purchases at the site from approximately August 30, 2007 to February 27, 2008.
[Evan] Storing card verification numbers is a violation of the Payment Card Industry (PCI) Data Security Standard. According to Requirement 3: Protect stored cardholder data, Section 3.2.1 "NEVER store the card verification code or value or PIN verification value data elements." and 3.2.2 "Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions" Stedmans.com was not compliant with the standard. Why wasn't the site compliant, and what vulnerability was exploited?

The company has contacted the three major national credit reporting agencies, and the company mailed a notice to consumers who may have been affected by this incident on March 10, 2008
[Evan] It would be a better idea to contact Visa and Mastercard than it would be to contact the credit reporting agencies. If the information was limited to what was reported, then there is not a high risk of immediate identity theft (no Social Security numbers in particular). There is a medium to high risk of credit card fraud, which is much different.

We are working with our website hosting company on additional security measures for the Stedmans.com website
[Evan] It would be a good idea to work with information security professionals (third-party review).

we have arranged with Equifax Personal Solutions to provide potentially affected consumers with an opportunity to enroll in the Equifax Credit Watch Gold identity theft protection product at no cost to them for one year
[Evan] Again, this is not really an identity theft issue. It is a credit card fraud issue. Two related but different issues.

Lippincott Williams & Wilkins is committed to maintaining and protecting the confidentiality of our customers' personal, private, and sensitive information. We regret that this situation has occurred, and we will be working to reduce the risks of a similar situation happening in the future.

Commentary:
This breach certainly affects much more than the 25 New Hampshire residents mentioned in the breach notification to the New Hampshire State Attorney General. I am disappointed by appearance that stedmans.com was not VISA/PCI DSS compliant and the response that shows a misunderstanding of risks. Stedmans.com customers are mostly people in the medical field, so I am guessing that many of these credit cards have limits that exceed mine.

Past Breaches:
Unknown

Fraud Due to a Credit Card Breach

Fri, 21 Mar 2008 03:39:34 +0000

This sort of story is nothing new:

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

But it's rare that we see statistics about the actual risk of fraud:

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.

And this is interesting:

"Visa and MasterCard have stipulated in their contracts with retailers that they will not divulge who the source is when a data breach occurs," Spitzer said. "We've been engaged in a dialogue for a couple years now about changing this rule.... Without knowing who the retailer is that caused the breach, it's hard for banks to conduct a good investigation on behalf of their consumers. And it's a problem for consumers as well, because if they know which retailer is responsible, they can rule themselves out for being at risk if they don't shop at that retailer."