Optimal Payments data breach

(Reuters) – British mobile payments company Optimal Payments Plc said it was investigating allegations that personal data belonging to some of its customers had been compromised and was available in the public domain.

Optimal shares fell 11 percent to 309.5 pence, their sharpest fall in a day this year and lowest since Sept. 16.

The company said the allegations were that the data breaches had occurred at two of its units in 2012 or earlier.

The data consists of names and email addresses of customers and is available for purchase on the “dark web”, a source with knowledge of the hack told Reuters.

The dark web is an area of the Internet that can only be accessed through software that makes web browsing anonymous.

Optimal’s NETELLER and Moneybookers Ltd units had suffered data breaches as a result of cyber attacks in 2009 and 2010, but none of its customers lost any money as a result, the company said.

Optimal said it had informed the Information Commissioner and the Financial Conduct Authority (FCA) about the matter.

The company said it came to know about the allegations following media enquiries.

(Reporting By Mamidipudi Soumithri in Bengaluru; Editing by Anupama Dwivedi and Gopakumar Warrier)

List of Credit Card Data Breaches by Industry

data breach credit cardUpdated Summer 2019, not all inclusive. Is your business safe from a credit card data breach? The list below highlights some credit card data breaches and the primary cause. While malware reigns as a top cause of payment data breaches, employee theft is still a problem too.

In January, 2019, security researcher Troy Hunt discovered a massive database on cloud storage site, MEGA, which contained 773 million email addresses and 22 million unique passwords collected from thousands of different breaches dating back to 2008. The information was shared on a popular hacking forum where they could be shared about. If you’re concerned if your credentials could may have been compromised, visit Have I Been Pwned?

Software & POS companies

  • Fieldwork Software– 2019. provides business software to small businesses, including recurring billing
  • FastBooking– hotel booking website, 4,000 partner hotels in 100 countries
  • PumpUp fitness app- user-entered health information, photos, and private messages sent between users. The exposed data also contained Facebook access tokens and, in some cases, unencrypted credit card data including card numbers, expiry dates and card verification values. 6 million records, disclosed May 2018 (Based on data, probably exposed for all time)
  • Sabre SynXis Central Reservations system- About 36,000 hotels use SynXis, not all cards were compromised. August 2016 to March 2017.
  • 247.ai Chat provider with payment acceptance for big companies like Delta, Best Buy, Sears and others. You don’t need to have used the online chat software to be affected potentially. Sept. 26-Oct. 12, 2017
  • Modern Business Solutions (hosting) October 2016, 26-260 million
  • Staminus – March 2016. Stored card data stolen from hacked server.
  • Harbortouch POS – ” a small percentage of their restaurants and bars customers”; Malware. May 2015 announced; scope and exposure dates under investigation. 4200 merchants, how many cardholders?
  • NEXTEP Systems- vendor of point-of-sale solutions for restaurants, corporate cafeterias, casinos, airports and other food service venues, was recently notified by law enforcement that some of its customer locations have been compromised in a potentially wide-ranging credit card breach. March 2015
  • Advanced Restaurant Management Applications – mostly in Colorado. 2015
  • Charge Anywhere LLC, a mobile payments provider. November 2009 and September 2014
  • Signature Systems Inc., 2014 point-of-sale vendor. 216 Jimmy John’s stores and 108 other independent restaurants locations. Malware installed remotely.
  • SP +  POS malware 2014
  • Moolah Payments 2014
  • Information System & Supplies, Inc., 2014 independent reseller of POS products. Unnamed restaurant customers.
  • Paytime Inc., 2014, a Pennsylvania payroll company
  • Big Tree Solutions- 2014 see Bring it to me below (breach not reported, but susceptible)
  • Datapak Services Corporation-2013,  order fulfillment provider and payment processor for several Web sites
  • Heartland Payment Systems 2008-2009, 130 millionModern Business Solutions (hosting) 2016, 26-260 million

Healthcare

  • Bulloch Pediatrics Group – 2014 burgled storage with old records
  • Specialized Eye Care, 2014, insider breach of card numbers and checking account info
  • McBroom Clinic- payment data on portable flash drive sent to vendor along with other materials; vendor presumably discarded USB without seeing

Retail

  1. Lord & Taylor, Saks Fifth Avenue and Saks Off 5th (parent Hudson Bay) point of sale, total system compromise per class action during the breach period of March 2017 to March 2018over 5 million card records. April 2018.
  2. Forever 21- Malware was installed on some point of sale (POS) systems in stores across the U.S. at varying times between April 3, 2017, and November 18, 2017. However, records prior to that may also have been compromised via logs
  3. Home Depot, 2014, “BlackPOS” (a.k.a. “Kaptoxa”) malware, 56 million
  4. Staples, 2014 over 1 million cards. subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.
  5. Michael’s, POS malware
  6. Target 2013, “BlackPOS” (a.k.a. “Kaptoxa”) malware, 93 million
  7. Goodwill, POS malware, over 800,000
  8. Bebe – U.S., Puerto Rico and U.S. Virgin Islands stores between Nov. 8, 2014 and Nov. 26, 2014
  9. Kmart – 2014. Point-of-sale registers at its Kmart stores were compromised by malicious software
  10. Sally Beauty Supply, 2014, over 250,000 cards, malware
  11. Neiman Marcus, Thanksgiving 2013 to Dec. 15, over 40 Million cards, POS malware
  12. Sheplers, 2014 hacked POS
  13. Dreslyn. 2014 unknown
  14. Victoria’s Secret, Orlando location employee card skimming
  15. Aaron Brothers. 2014, over 400,000
  16. Rosenthal the Malibu Estates, 2014 malicious software
  17. Harbor Freight Tools, 2013 a U.S.-based chain of 400 retail tool stores

Hotels  & Travel

  1. See Sabre SynXis for software. Huge hotel impact, August 2016 to March 2017.
  2. Prince hotels, 124,000 for foreign booking; the English, Chinese and Korean website, run by Fastbooking Co., was hacked on June 15 and 17, 2018.
  3. Trump Hotel Collection reportedly breached again
  4. Rosen Hotels & Resorts, Sept. 2, 2014, and Feb. 18, 2016 compromised payment card network
  5. Hyatt- over 250 hotels, discovered in Nov. 2015 involved POS malware
  6. Starwoods Hotel & Resorts, discovered in Nov. 2015, POS malware
  7. 9/28/2015 Banks pointing fingers at Hilton properties, including Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts. Hilton announced multiple intermittent breaches in 2014 and 2015
  8. Hard Rock Hotel Las Vegas “limited to credit or debit card transactions between September 3rd, 2014 and April 2nd, 2015 at restaurant, bar and retail locations at the Hard Rock Hotel Las Vegas property, including the Culinary Dropout Restaurant.”
  9. March 2015 Mandarin Oriental Hotel, Malware. Credit card systems in an isolated number of hotels in the US and Europe.
  10. From White Lodging Services Corp- certain Marriott, Holiday Inn, Sheraton and other hotel properties. The breach occurred at food and beverage outlets at 14 hotels, including some operated under the Westin, Renaissance and Radisson names, between March 20 and December 16, 2013.
  11. Presidian Hotels & Resorts
  12. Grand Casino Mille Lacs 2014
  13. Houstonian Hotel, Club & Spa, 2014 over 10,000, Malicious software attack
  14. South San Francisco 2014Embassy Suites Hotel
  15. Travelocity 2013, several employees of a Travelocity service
    provider misused certain information, including payment card numbers,  for which they had access as part of performing services
  16. Intercontinental Mark Hopkins San Francisco, 2013

Ecommerce

  1. Quest Diagnostics- announced June 3, 2019. hackers took control of the payments page of one of Quest’s billing collections vendors, American Medical Collection Agency (AMCA), between August 2018 and March 2019.
  2. Opko Health- impacted by American Medical Collection Agency (AMCA)
  3. Atlanta Hawks- April 25, 2019 The hackers installed a credit card skimming code on the site, stealing the names, dates of birth, and payment card details of anyone who shopped on the site after April 20, 2019.
  4. OXO January 10, 2019 -was hacked in two separate incidents over the past two years
  5. DiscountMugs.com  January 4, 2019: was hacked for a four-month period in the latter half of 2018. The company announced that it had discovered malicious card skimming code placed on its payment website.
  6. Walmart partner MBM Company Inc., which operates Limogés Jewelry. For purchases made between 2000 and early 2018
  7. Orbitz March 2018, over 800,000 personal information — including full names, credit card numbers, phone numbers, and e-mail and street addresses
  8. Sears  [24]7.ai data breach. Under 100,000, April 2018
  9. Delta [24]7.ai data breach April 2018
  10. Adidas 2018 millions
  11. Macy’s April 26 and June 12, 2018
  12. fashiontofigure.com Fashion Figure (B. Lane, Inc.). Has 18 retail stores plus ecommerce store; no clear indication where breach occurred. Reported as Date(s) of Breach (started):Tuesday, May 19, 2015; Date(s) of Discovery of Breach:Friday, October 16, 2015. Fashion Figure is notifying customers of a data breach to their system when they discovered unauthorized access to names, customer ID’s, addresses, phone numbers, email addresses, and credit card information. After investigation, the company found malware installed on their webserver. The web configuration is not known at the time of the breach, and most companies take immediate action to update once discovered; Ecommerce shopping cart is currently Magento with Magento One Page Checkout – Fire Checkout plugin, and authorize.net payment gateway.
  13. http://www.northshorecare.com/ North Shore Care Supply. The information accessed included debit/credit card information, names, addresses, card numbers, verification codes and expiration dates.Online purchases made between June 7, 2015 and August 24, 2015 are at risk.  The web configuration is not known at the time of the breach, and most companies take immediate action to update once discovered; Ecommerce shopping cart is currently Magento with iframe authorize.net payment gateway.
  14. Web.com August 2015, reportedly 7 years of data, 93000 records
  15. Accuform Signs November 2, 2015
  16. onestopparking.com 2014
  17. Park-n-Fly.com 2014
  18. Sourcebooks, 2014 Web site shopping cart software
  19. Dutchwaregear.com 2014
  20. simmsfishing.com 2014 webhost malware
  21. duluthpack.com, 2014 malware
  22. backcountrygear.com 2014 malware
  23. American Soccer Company, Inc. / SCORE, 2014 malware
  24. Evolution Nature Corp., d/b/a The Evolution Store, 2014 malware
  25. Flinn Scientific, Inc, 2014 malware
  26. BayBio, 2014 malware
  27. Viator (a subsidiary of TripAdvisor), 2014 hacked: 1.4 million users’ information stolen, including payment card data
  28. Yandy.com, 2014 cyberattack, over 40,000 records
  29. TheNaturalOnline.com. 2014, malware
  30. Wireless Emporium / Test Effects, LLC server malware
  31. California Department of Motor Vehicles 2014, online only
  32. Bring It To Me, LLC, 2014. Our online ordering software provider, BigTree Solutions, recently informed us that they identified unauthorized modifications in their software that could potentially allow new payment credit card information entered between October 14, 2013 and January 13, 2014 to have been obtained by an unauthorized user
  33. Smartphone Experts, 2013

Restaurant

  1. EatStreet- 6 million users, May 3-17
  2. Checkers and Rally’s restaurants May 29, 2019. Point-of-sale systems hacked, compromising customers’ full payment card information.
  3. Earl Enterprises- Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria, March 29, 2019. Earl Enterprises announced a breach of its payment systems after discovering malware that stole customer credit and debit card information.
  4. Dunkin’ Donuts February 12, 2019: Not a credit card breach, but for the second time in three months, Dunkin’ Donuts announced a data breach affecting DD Perks rewards members. Hackers used credential stuffing attacks to gain access to customer accounts, and have been selling them on the Dark Web for profits.
  5. Darden 2018
  6. Chili’s (parent Brinker International), which has more than 1,600 locations worldwide, did not disclose which locations or how many diners might have been affected, but that it believes “the data incident was limited to between March – April 2018 for in-store purchases.”
  7. PDQ- May 19, 2017 – April 20, 2018 (breach time period)
  8. Landry’s Inc., a company that manages a nationwide stable of well-known restaurants — including Bubba Gump, Claim Jumper, McCormick & Schmick’s, Chart House, Rainforest Cafe and Morton’s. Announced December 2015; end to end encryption installed at 92% of locations (was in progress at time of breach, still under investigation)
  9. PF Chang’s, 2013-2014
  10. Chick-fil-A 2014
  11. Dairy Queen, 2014, about 400 locations. Backoff malware on point-of-sale.
  12. Jimmy John’s, 2014, 216 stores. point-of-sale systems made by Newtown, Pa.-based Signature Systems.
  13. Beef O’Brady’s 2014 hacked
  14. OTTO Pizzeria, 2014 malware, 900 customers
  15. Wendy’s- 2014, malware MI location only; Wendy’s 2016- still investigating, but may be limited in geographical scope

Misc

  • Taxi Affiliation Services /Dispatch Taxi

Data Breach List Resources (bookmark this page)

  • http://www.scmagazine.com
  • http://krebsonsecurity.com/
  • http://databreachtoday.com
  • http://www.bankinfosecurity.com
  • http://www.idtheftcenter.org/id-theft/data-breaches.html
  • http://www.esecurityplanet.com
  • https://www.privacyrights.org/data-breach

Backoff Malware impacts over 1000 small merchants POS systems : data breach scope TBD

backoff malware pos data breachThe Secret Service reported that seven POS systems providers/vendors have confirmed that they’ve had multiple clients affected. The backoff virus was detected in October 2013 and was not recognized by antivirus software until August 2014. Typically getting access to merchant systems with weak passwords, the hackers then install backoff to gather credit card data. This is the same problem that impacted Target, Supervalu and UPS according to the NY Times.

The Department of Homeland Security (DHS) strongly recommends actively contacting your IT team, antivirus vendor, managed service provider, and/or point of sale system vendor to assess whether your assets may be vulnerable and/or compromised. The Secret Service is active in contacting merchants as they’re identified.

In addition to anti virus, firewall and other software updates merchants can alternatively choose payment systems segregated from their POS system, in addition to adding P2PE encryption terminals.

 

Target credit card data breach: Facts, Resources and Risk Mitigation

The Target data breach, discovered December 15, impacts all credit and debit card transactions in the USA between Nov. 27 and Dec. 15. This article explores what happened, why it happened, what merchants can learn from the incident, and links to top stories.

THE DATA BREACH INCIDENT:
On December 15, 2013, Target discovered malware on their USA point of sale (POS) system and disabled the malware code. The impact is over 40 million cards. Notably, the breach impacted in store only.

From Business Insider,  “As shoppers swiped or punched in their numbers on the checkout keypad, the hackers copied every single number.” Read More: The Incredibly Clever Way Thieves Stole 40 Million Credit Cards From 2,000 Target Stores In A ‘Black Friday’ Sting

Stolen was the track data from the magnetic stripe, and equivalent data from chip cards. According to Target: The CVV data which is encoded on the magnetic stripe was stolen. The CVV2,  the three or four digit value that is printed on the back or front of the card, was not. CVV2 data is never on magnetic strips for security so it would have to have been manually entered to be stolen. (From Target…”No indication that CVV2 data was compromised.”)

Also stolen were 4 digit encrypted pin debit codes. This data is encrypted on the POS device and is simply passed through to the processor in the encrypted state. From Target, “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

Summary: thieves have enough information to clone credit cards for retail sales

DAMAGES

The data quickly reached the black market with nefarious buyers taking advantage.

HOW COULD THE TARGET DATA BREACH HAPPEN?

In my opinion, and others, it’s likely related to system architecture. The thieves were able to get full track data needed to clone cards and increasing risk of the data being used. Target uses a custom POS application which requires Payment Application Data Security Standards (PA-DSS) in addition to Payment Card Industry Data Security Standards (PCI DSS) Compliance.

From Security: Dark Reading, Target Breach Should Spur POS Security, PCI 3.0 Awareness: Lyne says he believes the Target breach points to poor architectural and business practices. “It is critical that organizations handling such data take steps to protect it — such large volumes of data should never be accessible by one user or process — and should be encrypted to segment the data and should be detected if an export of such size occurs,” Lyne says.

An alternative workflow encrypts data at the point of sale by a payment gateway, which then delivers to the payment processor. This segregates point of sale data from payment data, reducing the scope for PCI compliance, and removing the POS application from scope for PA DSS. The payment application sends non-sensitive information, such as authorization code, back to the POS.

One way to spot potentially vulnerable systems as a consumer is whether or not the POS shows the item name and amount on the signature capture pad. This is an indication that the POS may be driving the payment application. When payment and POS are segregated, the signature capture pad shows only payment information.

PAYMENT GATEWAYS

Solutions fall into two categories: processor gateways and third party gateways. Merchants may be reluctant to integrate a processor gateway because it locks them into a specific vendor and can be very disruptive to operations to make a change in the future. Third party gateways provide increased flexibility, but also add extra cost to each transaction.  Factors included in choosing a solution include: single vs multi-store, USA or international, payment types, consumer or business to business, future purchase methods – need to store credit card information for recurring billing, multi-channel, and others.

THE IMPACT OF EMVemv chip card smart cardTarget was an early adopter of EMV, (Europay, MasterCard & Visa),  an open-standard set of specifications for smart card payments and acceptance devices. Credit and debit cards contain a small computer chip; This makes it harder to steal data on the point of sale device and to clone cards.

EMV  vs magnetic strip cards:  Traditional magnetic stripes contain “static” data consisting of the Primary Account Number, expiration date and other information; the same information is passed to the card issuer for every transaction. This makes it easy to clone cards.

EMV uses dynamic authentication.  In EMV transactions using dynamic authentication, the data changes with every transaction, thus any captured information is effectively useless to thieves. The chip is nearly impossible to counterfeit.

In the US, with low EMV merchant acceptance capabilities, cards may be issued with both magnetic stripe and chip. This means that thieves can still clone cards that contained a chip if the consumer uses the magnetic stripe in the transaction.

THIEVES AT WORK: HOW MERCHANTS CAN MITIGATE RISK

Without CVV2 data, using the card data for online transactions is unlikely because most ecommerce merchants verify that data. Retailers will be most at risk for cloned cards.

5 tips to prevent losses linked to cloned cards from Target or any other data breach:

  1. By card association rules, merchants can ask for identification, but they cannot deny a transaction if the cardholder will not provide it.
  2. Checking the zip code at the POS, where allowed by state law. *  The average thief doesn’t have this information and wouldn’t take the time to memorize it anyway. An intelligent system will decline the transaction if the zip code doesn’t match.  This may be inconvenient, especially in a fast paced environment. Some solutions allow merchants to validate the zip code only if over a certain dollar amount, reducing checkout burden while increasing risk management.
  3. Train cashiers to look at the cards for proper holograms and logos.
  4. Train cashiers to verify signatures.
  5. Require cashier to verify the last 4 digits at the POS.*  With cloned cards, the front of the card often does not match the magnetic stripe data. This is a highly successful fraud prevention tool to implement with minimal effort.

* Contact your processor to turn the zip code or last 4 digits flag on, or modify the payment gateway settings, whichever is appropriate.

TARGET DATA BREACH TRENDING STORIES AND LINKS

Kreb’s on Security:  Who’s Selling Credit Cards from Target? http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/

Wall Street Journal: Target’s Data-Breach Timeline 

http://www.abullseyeview.com/ Target’s web site for an inside view. Includes http://www.abullseyeview.com/2013/12/target-data-breach-5-things-you-need-to-know/

https://corporate.target.com/about/shopping-experience/payment-card-issue-faq Target’s corporate web site. Everything consumers need to know. (Author note: Target advises monitoring for fraud.  I advised my daughter to request an immediate debit card replacement.