Entries tagged with “data theft”.


There have been a few famous cyber security breaches regarding financial data in the past year. Here is our next example of one that involved a financial security breach at a large department store.

Hackers broke into the credit card payment system of the department store early last year. The company’s security system apparently issued alerts sixty thousand times but even so, the hackers were able to move around inside the system for more than half a year, all while continually causing alerts every day they were there.

The problem, in this instance, was that the number of alerts that occurred in the system per day was so high that those that corresponded to the actual break-in were only a tiny percentage of the total according to employees at the company. According to some estimates, as many as three hundred and fifty thousand credit cards were exposed during the attack, and some nine thousand have been used by fraudsters since then.

According to some security experts, the main problem was that the point of sales network for the company had all of the registers connected to a central computer. Because of this centralized system, it was easy for hackers to continually add their software back onto registers every day.

The breach could have been prevented had the company more closely monitored the connections between the registers and the central computing system. Every section of the process has to be monitored and secured or a breach at any point could circumvent point of sale security, which is exactly what happened in this case.

For more information about keeping financial transactions secure against hackers, please contact us.

There have been a number of cyber breaches in the last year where financial data has been leaked to the public.  Some have been smaller companies but there have been a fair amount of larger corporations who have fallen victim also.  Here’s an example of a more recent cyber security breach that took place at a major retail store.

Last year a major retail store reported that up to 40 million credit card numbers had been stolen by hackers.  According to some, it was one of the biggest retail hacks in American history. The way the hackers gained access was by installing malware into the payment system the store was using. By doing this, it allowed hackers to gain credit card information for every single user from the over 1,500  stores where the information was stored. The way the hack worked is that the program would copy the credit card number of  consumers whenever they swiped their card to pay for their items.

The hackers were actually spotted by a few different security companies during this breach. This was a case where the security measures in place actually functioned, and the problem was the human element.

Apparently, the security program in place had the option to automatically delete malware being placed on the system, but the security team turned it off. According to some sources, the security team then failed to keep a firm enough grip on network security, which caused them to miss the multiple flags that went off.

The Symantec Endpoint Protection system that the company was using for antivirus even identified the threat well in advance.

The case with this retail store  just goes to show that a security system, no matter how advanced, is only as effective as the people using it.

For more information on cyber security, please contact us today.

Barnes and Noble has reported that PIN entry devices in dozens of its stores have been hacked.  According to the company, one device in each of 63 different stores  had been compromised. The company said that its website and purchase made on the Nook were not impacted by the breach.    Reports indicate that the stores involved in the compromise were located in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island. B&N is working with banks to notify affected customers.    The company acted swiftly in disconnecting the devices in all of its more than 700 stores once the breach was discovered. Further, the company altered the process for using a card to a more secure method.  Rather than swiping the card, the consumer will now hand the cashier the card to be swiped, a process the company believes to be more secure.

There are two security issues at play here. The first is the question of physical security.  How many times have you walked into a grocery store, or any store for that matter, and used the PIN pad device without the assistance of the clerk?  While that certainly adds convenience, it can also introduce risk.  The following video demonstrates just how easy it can be to compromise a PIN pad machine.

As you can see, without the proper physical security, attaching a skimming device or tampering with the machine can take just a matter of seconds. If you are accepting cards it is vitally important to think about the physical security of the data, as well as the technical security.  If you use a mobile device, ensure that it is with you at all times.  If it is not with you, it should be locked in a secured location.  If you are using a Point of Sale solution or a PIN pad device, make sure that it is secured to the counter and that you can tell whether or not the device has been altered.  In the video above, the clerk noticed that machine had been tampered with and was able to prevent the theft of data.

The second issue at play here is the technical aspect of security.  This is of particular consequence, because thieves that are able to access full card data can make counterfeit cards and the volume of fraudulent transactions increases significantly.  To counter this, the PCI SSC has drafted a number of documents specifically aimed at protecting PIN pad devices.  You can find all of the PCI SSC security documents on the Library section of their website.

Security of transaction data is not an “online only” problem.  Thieves are able to extrapolate physical theft into credit card fraud.  That means the physical instruments that we use to accept credit card transactions must be afforded the same level of protection as the systems in which we store that data (e.g. databases or POS applications).

On this blog, we have discussed, almost ad nauseum, data breaches.  How they happen, how they can be avoided, what to do if your business is impacted.  What we haven’t discussed much is that most merchants, particularly in the SMB segment, are also consumers.  So what rights do consumers have when their data has been compromised?  The Privacy Rights Clearinghouse has been producing a six part video series on important privacy topics.  This week, the organization released Part 4: Data Breaches: Know Your Rights.

The video walks viewers through an incident in which a consumer is notified that his data has been compromised.  It discusses what questions you should ask and what steps you might take to protect yourself.  As an example, we hear that consumers are often advised to get a “credit freeze” in the wake of a compromise.  But what does that mean and is that really the best option for everyone?

As an additional resources, check out the Fact Sheet also offered by the organization. Unfortunately, data breaches are going to continue to be common for the foreseeable future.  Not because organizations aren’t taking appropriate steps to protect the data, but because data thieves are often highly motivated and see hacking as a high-reward/low-risk activity.  That being the case, as consumers, it makes sense that we educate ourselves on how to respond and what rights we have under the various state or federal laws surrounding our financial or personally identifiable information.

“When good people…cease their vigilance and struggle, then evil men prevail.” - Pearl S. Buck

When I was learning to ride a motorcycle my instructor gave me one piece of advice that always stayed with me.  He said “keep your head on a swivel.”  In other words, while I had to make sure that I was doing everything I should be doing, I also had to make sure that I was constantly looking out for what other people may be doing.  That way I could correct my course, or at least take some action to ensure that what the other people were doing wouldn’t put me in danger.  While this is certainly good advice for riding motorcycles, it is also good advice for data security.  It may seem like a stretch, but bear with me.

In securing our customers’ payment data, we have a guideline (actually a set of fairly stringent requirements) in the form of the Payment Card Industry Data Security Standards (PCI DSS).  To learn more about these standards visit this site.  Following these guidelines ensures that we are doing what we “should” in terms of protecting the data.  But that doesn’t mean that others won’t be taking action to put you (and your data) in danger – in the form of data compromise.  That means that you have to stay vigilant for what others might be doing – “keep your head on a swivel” –  to ensure that you are addressing newly identified risks and vulnerabilities that may not be addressed by the guidelines.

Recent trends indicate that small merchants are increasingly becoming targets of data thieves.  In a recent interview, Vantiv Vice President David Mattei stated, “…now we’re seeing an increase in the number of breaches in which smaller numbers of cards are compromised. Small, independent merchants are being targeted because of the ease with which fraudsters can compromise those payment systems.” That means that as small merchants, even if we are PCI DSS compliant, we must remain vigilant against potential attack.  One way to foil the fraudsters in this case is with the use of a P2P Encryption and tokenization solution. In this instance, the data is removed from the merchant system and replaced with “tokens,” or abstract representations of the cardholder data.  While merchants can still use the data to run reports, issue refunds or fight chargebacks, data thieves would find the tokens to be worthless.

The lesson in all of this is that we must remain on guard against new threats, even if we are doing everything “by the book.”  Leveraging secure technologies like tokenization can help ease the burden of compliance and render you and your customers more secure in the long run.