Massive Travel Industry Data Leak

Prestige Software’s main product Cloud Hospitality, the channel management software to the travel industries biggest consumer buying web sites, including Expedia, Hotels.com, and booking.com left data exposed for over 10 million log files, dating all the way back to 2013. At the November 6, 2020 breaking news, it was not yet known whether the data left open on a server was stolen or not. However, we know that criminals run scripts looking for data all the time so it won’t be a surprise if there was a breach.

A channel manager is used to manage bookings across multiple webs sites, including hotels and restaurants. For example with vacancy management, if there is one room left and someone buys it on booking.com, it will show unavailable on hotels.com. With millions of records exposed around the globe, there is sure to be fall out.

Because both personal and credit card data was exposed, I recommend consumers change their travel web site passwords, email passwords, and keep an on on credit card usage or set up alerts.

The data contained full card data and the security code. It’s a PCI Compliance and card network violation to store sensitive cardholder data, therefore, they could lose the ability to store, transmit, and handle all credit card data. While the booking platforms did not expose the data, there is certainly a weakness. For more information from the team that broke the news, see https://www.websiteplanet.com/blog/prestige-soft-breach-report/.

This incident demonstrates your security is only as good as your weakest link. What actions have you taken to remediate deletion of old records both paper and digital? What about your partners? I know of multiple solutions providers that enable merchants to create their own digital credit card authorization forms. This form is then reviewed or downloaded by an employee, with card data key entered then into some other system by the employee. There are so many things wrong with this, including the signature is not even a valid form of defense for card not present. 3-D Secure is the way to go.

  1. If your company uses a 3rd party for billing and or collections, ask questions.
  2. If you’re not using updated tools to keep card numbers out of employee hands, hardware and software, you’re at risk.
  3. Remember, if cardholder data can be decrypted and viewed, you’re at risk.
  4. If you can see the full card number and security code after authorization, that is not compliant.

Contact me for a FREE checkup for common problems IT and security professionals might miss.

If your company has card data that can be retrieved and viewed, you’re at risk too. I fix that.

Christine Speedy, Founder 3D Merchant Services, QIR certified, is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified by the PCI Council. Christine is an authorized independent sales agent for a variety of merchant services and payment technology solutions.

2020 Merchant Credit Card Data Breach List

Updated June 2020, not all inclusive. Is your business safe from a credit card data breach? The list below highlights some credit card data breaches and the primary cause at the time the data breach was announced. While malware reigns as a top cause of payment data breaches, employee theft is still a problem too. To make the list, typically companies are only listed if full card data is stolen.

Restaurants

January 2020- Landry’s owns over 600 popular American restaurants across the U.S., including Del Frisco’s Grill, Joe’s Crab Shack, Bubba Gump, Rainforest Café and more. This is the second data breach since 2016, a result a POS malware. Some waitstaff were accessing an old system with card swipers without end to end encryption. TIP: When updating systems, remove all old terminals from facility; leaving on site commonly leads to reuse. As a consumer, avoid any place that uses card swipers.

Retail & Ecommerce

January 2020: Hanna Andersson– online store malware Magecart in their Salesforce Commerce Cloud (previously known as Demandware). I loved this brand when my kids were growing up. Criminals are hacking into vulnerable e-commerce platforms used by online stores and inject malicious JavaScript-based scripts into checkout pages that collect the customers’ payment info and send it to attacker-controlled remote sites. This is an old problem that updated checkout code prevents.

March 18, 2020: TrueFire online store malware Magecart attack, stolen card numbers for 6 months. Ouch.

June 15, 2020: Claires online store only, Magecard attack. Uses Salesforce Commerce Cloud, previously known as Demandware. This appears to be a new twist on Magecart breach.

Technology

April 22, 2020 Paay, a NY card payments processor startup, left a database containing 2.5 million card transaction records accessible online without a password. The exposed payment transaction belonging to 15 to 20 merchants includes full plaintext credit card number, expiry date and the amount spent.

January 28, 2020 Cornerstone Payment Systems, Christian-friendly company that does “not process credit card transactions for morally objectionable businesses,” left online a database with customer payment transaction data. The database contained 6.7 million records since 2013, and was updating by the day. The database was not protected with a password, allowing anyone to look inside. While there was not full card data taken, I felt notable to list.

April 2020 nCourt runs two payment sites courtpay.org and utilitypay.org using a system called GovPSA. Only hashed data was stolen, but newsworthy because affected data was from a legacy system, which commonly have security issues. The first and last four digits were exposed with other card data from at least three years’ worth of transactions up to and including November 2019.

April 6, 2020: Key Ring, a digital wallet app, left stored customer data of 14 million users accessible in an unsecured database. Users store scans and photos of membership and loyalty cards to a digital folder in their mobile device. The exposed data includes names, full credit card details (including CVV numbers)

North Country Business Products (NCBP), a Minnesota-based provider of point-of-sale (POS) products, initial breach report roughly January 2, 2019 to January 25, though for most, the window is just a day or two. Mostly restaurants and small businesses, usually “level 4” merchants requiring a a PCI Council Qualified Integrators and Resellers for Point of Sale installation. QIRs are integrators and resellers specially trained by PCI Security Standards Council to address critical security controls while installing merchant payment systems. North Country Business Products has a lot of QIR’s. At least 139 impacted restaurants with credit card data breach dates here. NCBP POS systems are installed at over 6,500 locations.

Don’t be the next credit card data breach victim!

Christine Speedy is Qualified Integrator and Reseller certified by the Payment Card Industry Security Standards Council. QIRs are integrators and resellers specially trained by PCI Security Standards Council to address critical security controls while installing merchant payment systems. QIRs reduce merchant risk and mitigate the most common causes of payment data breaches by focusing on critical security controls. Call Christine for technology, merchant services and check processing needs.

GovPayNow.com Data Breach

Government Payment Service Inc., a company used by thousands of U.S. state and local governments to accept online payments, leaked over 14 million customer records, including names, addresses, phone numbers and the last four digits of the payer’s credit card. GovPayNet, doing business online as GovPayNow.com, did not leak any sensitive information, as the leak pertained to just customer credit card payment receipts, which has since been resolved.

For the full story, read it on Krebs Security https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records/.

 

[24]7.ai Issues Statement After Data Breach Affecting Delta & Sears

SAN JOSE, Calif., April 4, 2018 /PRNewswire/ — [24]7.ai discovered and contained an incident potentially affecting the online customer payment information of a small number of our client companies, and affected clients have been notified. The incident began on Sept. 26, and was discovered and contained on Oct. 12, 2017. We have notified law enforcement and are cooperating fully to ensure the protection of our clients and their customers’ online safety. We are confident that the platform is secure, and we are working diligently with our clients to determine if any of their customer information was accessed.

About [24]7.ai
[24]7.ai is redefining the way companies interact with consumers. Using artificial intelligence and machine learning to understand consumer intent, the company’s technology helps companies create a personalized, predictive and effortless customer experience across all channels. The world’s largest and most recognizable brands are using intent-driven engagement from [24]7.ai to assist several hundred million visitors annually, through more than 1.5 billion conversations, most of which are automated. The result is an order of magnitude improvement in digital adoption, customer satisfaction, and revenue growth. For more information, visit: http://www.247.ai.

[24]7 and [24]7.ai are trademarks of [24]7.ai, Inc. All other brands, products or service names are or may be trademarks or service marks of their respective owners.

###

Information related to the statement from other sources is below. The company systems were not compromised, but rather they were all using [24]7.ai’s customer service chat widget to interact with customer service personnel, which can result in end users inputting payment card and other personal data.

Delta said a small number of its customers saw their payment information stolen by hackers. The company was alerted to the data breach last week. Sears also said under 100,000 card numbers were taken.

Service Provider [24]7.ai Breached, Leaking Customer Data from Delta Airlines, Sears, Kmart, and Best Buy

https://nypost.com/2018/04/04/delta-says-customers-payment-info-breached-in-cyberattack/

Delta Data Breach 2018: Was Your Payment Info Exposed?

Final note. Need a secure payment solution for your chat widget? Call now.

Verifone Investigating Data Breach

Reported by Krebs on Security, Verifone is investigating a breach of its internal computer networks that appears to have impacted a number of companies running its point-of-sale solutions. Verifone says the extent of the breach was limited to its corporate network and that its payment services network was not impacted.

“According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame. We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”

Read the full article here https://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-breach/