Adrian-Tiberiu Oprea, a Romanian man, admitted that he helped steal payment card data from hundreds of U.S.-based point-of-sale (POS) systems at the sandwich chain.
Mapco disclosed this week that hackers compromised its payment card processing systems to steal credit and debit card information belonging to an unknown number of customers.
The numbers corresponded to cards used by shoppers at 79 of 100 Schnucks Markets locations in the Midwest. The attacks may have persisted as long as four months, from last December through March 29.
The trojan was recently a topic of discussion on an underground Russian forum, researchers found.
The Payment Card Industry Security Standards Council (PCI SSC) released recommendations for card data security and compliance in cloud environments.
How can we provide the customers with outstanding customer support to complement our products?
Zaxby's, a Georgia-based restaurant chain, said the credit and debit card information of customers at locations in 10 states may have been accessed by fraudsters.
Cezar Butu received the penalty after admitting that he helped infiltrate the credit card processing systems of more than 150 Subway restaurants in 2011.
The PCI Security Standards Council, the body that manages payment security industries guidelines, on Friday released a methodology for meeting a risk management requirement included in the standard.
Less than two weeks after the book giant revealed that PIN pads at dozens of its stores were compromised, four victims have filed lawsuits, alleging the company failed to properly protect their data and notify them in reasonable timeframe.
EMC has acquired Menlo Park, Calif.-based online fraud detection provider Silver Tail Systems. Silver Tail, which offers "real-time web session and behavioral analysis" for banking, e-commerce and government customers, will operate as part of RSA, EMC's security division.
Fraudsters tampered with the point-of-sales devices at a number of locations to steal customers' debit and credit card information.
Two men each have been sentenced to 36 months in prison for withdrawing tens of thousands of dollars from ATMs with credit card information that was stolen from craft-store retail chain Michaels Stores.
The Federal Trade Commission is alleging that the hotel chain failed to implement basic security practices, which led to a number of costly data-leakage incidents.
A 21-year-old Dutch man is accused of accessing the point-of-sales terminals of restaurants and other businesses to steal credit card numbers, which he and a co-conspirator then sold in underground forums.
The body that manages debit and credit card security standards on Wednesday released best practices for retailers wishing to accept payments via mobile devices.
A group of six has been charged in the latest scam to defraud bank customers through the use of skimming devices, a trend that has seen a noticeable uptick in arrests and prosecutions over the past year.
A new development in the criminal underground is to peddle trojans that steal credit card data from hotels.
A 33-year-old Maryland man on Friday was sentenced to 5 1/2 years in prison for participating in an identity theft and credit card skimming scheme, according to the U.S. attorney's office in Alexandria, Va.
Trustwave's annual review of its data breach response investigations concluded that franchises are now the prime target for hackers seeking customer data, such as credit card numbers.
The EMV standard, widely considered an effective way to curb counterfeit card fraud because it requires a microchip to be embedded in a credit or debit card or on a mobile device, is gradually picking up steam in the U.S.
Visa has issued best practices that detail how retailers, card issuers and processors can upgrade their credit card transaction technology to a chip-based model, so to avoid burdensome complexity, cost and time to market.
Hackers breached a server belonging to online retailer Zappos and made off with the personal information of 24 million customers, though no credit card numbers were involved.
Hackers breached the systems of New York-based food services wholesaler Restaurant Depot, and stole hundreds of thousands of credit and debit card numbers.
Studies show that online consumers are concerned about security and privacy. That means web retailers must ensure they are taking all the steps necessary to ensure a safe and transparent shopping experience.
The defendants allegedly compromised the credit card data of 80,000 customers and made millions of dollars in unauthorized purchases.
As of Monday, at least 80 people were victimized by credit and debit card readers being tampered with.
Proper DNS management by organizations is critical to protecting against threats and staying online during the busy holiday months.
Sony's PlayStation Network again has been hit by hackers, but the limited damage that resulted could point to strides being made by the electronics giant.
Much of the surge can be blamed on SQL injection and the use of exploit toolkits, according to researchers at Dell SecureWorks.
The organized structure of a huge identity theft operation, based in New York, allowed members to make millions in profits.
Microsoft has introduced a "fairly major" update to its Malicious Software Removal Tool to detect and kill infections of the insidious and constantly morphing data-stealing malware family known as Zbot, or Zeus. Since the software giant first added detection for Zeus last October, hundreds of thousands of Windows PCs have been expunged of the threat, prominent in banking and e-commerce fraud. But as Zeus, which recently merged code bases with SpyEye, continues to acquire advanced evasion capabilities, Microsoft has had to fight "sneakiness with sneakiness," according to a blog post on Wednesday. The company introduced the update as part of its monthly security patches, released on Tuesday.
Much-maligned Sony announced Tuesday that it has hired a former U.S. cybersecurity official to serve as its first-ever chief information security officer. Philip Reitinger, 49, the former director of the National Cybersecurity Center at the U.S. Department of Homeland Security since June 2009, who tendered his resignation in May, will be tasked with assuring the protection of the multibillion dollar company's assets and services. It's been a tough year for Sony, which has experienced multiple breaches, most notably the compromise of its PlayStation Network and Qriocity services, which resulted in the exposure of the personal details of tens of millions of users. Reitinger has been in the private sector before, where he held the role of security strategist at Microsoft.
Fallout continues, and new corporate victims come to light after the massive breach of an email marketing services provider.
A former network engineer at Gucci has been charged with hacking into the company's network, deleting data and shutting down servers and networks.
A growing list of companies, including Capital One, U.S. Bank, Citigroup and JPMorgan Chase, are notifying customers that their email addresses were stolen by hackers.
For many small and midsize businesses, neglecting IT security is a thing of the past, reports Angela Moscaritolo.
Mobile payment service startup Square has refuted claims made by a competitor that its card reader could easily be turned into a skimmer capable of stealing financial and personal information.
eHarmony has confirmed that a hacker recently gained access to a file containing user information, weeks after another popular dating site was compromised.
The PCI Data Security Standard assessment process must change, or the payment industry faces an ethical bind.
The credentials of nearly 30 million online daters are at risk following the exploit of a common website vulnerability. The exact circumstances of the incident remain in question.
A new survey from Cisco reveals that organizations are getting better at handling their obligations to meet payment industry security guidelines.
Visa has enhanced the security of its electronic credit card authorization system, known as VisaNet, to improve the speed and accuracy of fraud detection, the card brand announced Thursday. Earlier this year, Visa improved the processing platform of its Advanced Authorization technology so that it can analyze more information and perform more functions faster. "This provides Visa with a comprehensive view into the global payments system, leading to high levels of intelligence around spending patterns and improving the company's ability to detect and prevent fraud in near real-time," Visa said. The company believes the improvements could lead to a 29 percent gain in fraud detection over 2009. - DK
Operation eMule is targeting a Vietnamese-based fraud operation believed to have duped U.S. retailers out of millions of dollars.
In this instance, the public fervor isn't over the release of secret diplomatic cables but a U.K. academic paper detailing a vulnerability in chip-and-PIN.
The credit card details belonging to customers of CitySights NY were stolen when a database belonging to the sightseeing bus tours company was hacked.
A new Zeus botnet is targeting the credit card accounts of several major U.S. retailers, including Macy's and Nordstrom, according to researchers at online banking security firm, Trusteer.
Lawyers, doctors and accountants may avoid having to comply with the Federal Trade Commission's new identity theft rule.
Social networking sites and search engines are expected to be hit hard as cybercriminals try to wrangle in unsuspecting holiday shoppers.
Grocery chain Aldi is warning customers that their payment card information may have been stolen after fraudsters placed altered point-of-sale terminals at a number of Aldi stores in 11 states.
Nations abroad may be forging ahead of the United States in terms of offering consumers enhanced cardholder protection, but the decision to move toward technology such as chip-and-PIN is not always cut and dry.
The average website contains nearly 13 "serious" vulnerabilities, according to a report released this week by White Hat Security, a website risk management solutions provider. The report, which was compiled using data from more than 2,000 websites across 350 organizations, found that cross-site scripting and information leakage flaws were most prevalent, and websites belonging to large organizations - those with more than 2,500 employees - had the highest average number of serious flaws. In terms of industry, banking organizations had the least amount of vulnerabilities on average, followed by insurance and health care firms. — AM
The group responsible for managing payment security rules plans to release two new guidance documents early next month assessing the impact of emerging data security technologies on payment card security.
Security professionals must consider all the options available to them to secure cardholder data.
Heartland Payment Systems, the New Jersey-based credit card processor that fell victim to the largest reported data breach of all time, announced on Wednesday that it will settle with Discover for $5 million. Heartland already has settled with Visa for $60 million and MasterCard for $41.4 million over the breach, which exposed an estimated 130 million credit and debit card numbers to organized criminals. The settlement money will be used by Discover to recoup costs related to reissuing cards and any incidents of fraud consumers may have experienced. — DK
Visa on Tuesday announced best practices for companies to use when implementing, installing and managing programs that process payment applications. The guidance will complement the existing Payment Application Data Security Standard (PA-DSS), which prescribes 14 requirements for software developers that build programs that process credit card payments. The Visa payment application best practices, developed in conjunction with the SANS Institute, include 10 guidelines and can be downloaded here. They are meant for vendors, integrators and resellers. — DK
The body that manages PCI guidelines has released a summary of expected changes, but merchants will not find any mention of emerging data security technologies.
Visa on Wednesday released a four-page document that offers best practices for tokenization, the process by which 16-digit credit card numbers are replaced with unique symbols. The guidance is meant to reduce risk for merchants, vendors, service providers and acquiring banks. It covers such areas as detecting suspicious activity so attackers cannot compromise the token system. In addition on Wednesday, Visa, in conjunction with the National Retail Federation trade group, clarified its operating rules around storage of sensitive information. According to the card brand, issuing banks must accept a disguised or truncated card number on transaction receipts for dispute resolution. Also, merchants are permitted to store disguised or truncated card numbers to reduce the amount of data that could be retrieved by attackers. — DK
Guests at 21 Destination Hotels & Resorts' properties may have been subjected to credit card theft after the chain discovered malware installed in its credit card processing system.
Microsoft has joined forces with the National Cyber Forensics Training Alliance (NCFTA) to launch a portal designed to immediately alert companies if credentials or credit card numbers belonging to their customers or employees have been discovered online.
Police in 12 countries have arrested 178 individuals linked to an international credit card fraud ring. Eight of alleged members were nabbed in the United States
Bob Carr, CEO of Heartland Payment Systems, which suffered a record-breaking breach in 2008, has rolled out a new payment solution to its merchants that offers end-to-end encryption of sensitive transaction data. In an interview with SC Magazine's Deputy Editor Dan Kaplan, Carr discusses the new offering and offers an update on the company's recovery 18 months after it announced the breach, which exposed some 130 million records.
The Federal Trade Commission is, for the fifth time, pushing back the deadline for financial institutions and creditors to comply with the Red Flags Rule.
Heartland Payment Systems and MasterCard have settled for $41.4 million over the payment processor's record-breaking data breach, disclosed in January 2009. Under the settlement, MasterCard issuing banks will be eligible to recoup costs related to reissuing cards and any incidents of fraud consumers may have experienced. For the settlement to be official, banks representing 80 percent of the affected accounts must agree to it by June 25. Heartland and Visa settled for $60 million in January. — DK
The PCI Security Standards Council, tasked with managing the Payment Card Industry Data Security Standard (PCI DSS), on Friday announced a new training program designed to educate internal security personnel on conducting assessments. The three-day course, to be led by PCI Council experts, either will enable security departments to better work with with third-party assessors or allow them to conduct their own assessments, Bob Russo, the council's general manager, told SCMagazineUS.com. Merchants that process more that six million annual transactions are required to conduct annual on-site PCI DSS assessments. Classes will be held in multiple locations. For more information, including pricing, visit here. — DK
Visa announced Tuesday that it has banned merchants from providing cardholder data to third parties without first receiving consent from the consumer. The new rule is a move to prevent a deceptive practice known as "data pass," by which a shopper, during checkout, is prompted to enroll in a club membership. The customer often does not realize the offer originates from a different merchant or that it comes with additional fees and charges, Visa said. Under the new rule, consumers will have to re-enter their credit card information if they wish to sign up for the promotions, which have cost some 30 million Americans about $1.4 billion, said Visa, citing a 2009 report from the U.S. Senate Commerce Committee. — DK
Eastern European gangs are systematically conducting well-organized skimming attacks against U.S. consumers and businesses, according to a Gartner analyst.
The sixth and final U.S. person charged two years ago with breaking into the computer networks at discount retail parent TJX was sentenced Thursday. A U.S. District Court judge in Boston sentenced Damon Patrick Toey, 25, to five years in prison and fined him $100,000. Toey pleaded guilty in September 2008 to wire fraud, credit card fraud and aggravated identity theft. He also is connected to a number of other major heists at retailers and payment processor Heartland Payment Systems. The ring's orchestrator, Albert Gonzalez, was sentenced last month to 20 years in prison. Some of Gonzalez' Eastern European-based co-conspirators remain at large. — DK
The number of consumers seriously concerned about the security of online transactions is at its highest level in three years, according to the latest Unisys Security Index, released Tuesday. In the biannual survey of 1,004 consumers, which measures how safe Americans feel regarding national, financial, internet and personal security, 20 percent of respondents were "extremely concerned" about shopping or banking online, up from 16 percent in September 2009. Another 23 percent said they are "very concerned." Meanwhile, identity theft and national security ranked as Americans' top worries, garnering serious concern from 64 and 65 percent of respondents, respectively. — AM
A new Washington state law set to go into effect July 1 will allow banks to recoup certain data breach losses from negligent businesses. Under the new law, passed by the state Legislature in late March, financial institutions can seek reimbursement from large retailers and credit card processors that have suffered a data breach — if they failed to comply with the Payment Card Industry Data Security Standard (PCI DSS). The new law is similar to a Minnesota statute passed in 2007. — AM
Another co-conspirator to hacker Albert Gonzalez was sentenced Monday in federal court in Boston to seven years in prison for playing a major role in the BJ's Wholesale Club and TJX hacks. Christopher Scott of Miami pleaded guilty in September to charges of unlawful access to computers, access device fraud, wire fraud, aggravated identity theft and money laundering, according to court documents. Scott is latest person involved in the crime ring to be sentenced. The ringleader Gonzalez last week received a record-breaking hacking sentence of 20 years. — AM
Court documents unsealed Friday name JCPenney and another retailer as additional targets of notorious hacker Albert Gonzalez' cybercriminal gang.
Jeremy Jethro, 29, was sentenced Tuesday in federal court in Boston to six months home confinement and three years probation for providing accused retail hacker Albert Gonzalez with a zero-day exploit.
Join us Tuesday and Wednesday for our special two-day SC eConference and Expo: Complying with PCI.
While hacker Albert Gonzalez awaits his sentencing date, scheduled for later this month, one of his co-conspirators in the TJX, BJ's Wholesale Club and Sports Authority hacks was sentenced Thursday in federal court in Boston to 46 months in prison and fined $75,000. Prosecutors said Humza Zaman, formerly a programmer at Barclays bank, laundered $600,000 to $800,000 in identity theft proceeds for Gonzalez. Zaman received a 10 percent cut for his work. — AM
Three California men each are facing two dozen charges for running a sophisticated identity theft ring which netted them nearly $2 million, the Los Angeles County district attorney's office announced Monday. Albert Jose Gonzalez, 39, of Lancaster, Josue Gustavo Albizuras, 42, of Los Angeles and Cesar Vasquez Echeverria, 28, of Santa Clarita installed skimmer devices on computerized pay pumps at gas stations to steal customers' credit and debit card information. The men, who have pleaded innocent, were arrested Feb. 25 after a three-year investigation by members of the Los Angeles Sheriff's Department and the FBI. — AM
The Westin Bonaventure Hotel & Suites in Los Angeles recently revealed that hackers may have broken into its point-of-sale systems.
Wyndham Hotels and Resorts (WHR) recently revealed that it was the victim of another data breach after hackers broke into its computer systems and stole customer payment card data and other sensitive information.
Hacker Albert Gonzalez will likely receive a record-breaking prison term, law enforcement officials said Thursday at the RSA Conference.
Four men were charged on Monday with using computer hacking to obtain tickets to major sporting events, theater productions and concerts.
Heartland Payment Systems has settled its first lawsuit with a card brand over the 2008 data breach.
The Massachusetts Supreme Judicial Court last week affirmed a lower court ruling dismissing a case against BJ's Wholesale Club over a 2004 breach.
A federal judge in New Jersey has thrown out one of the three class-action lawsuits pending against Heartland Payment Systems.
Online shopping during the holidays may not be as seamless as customers might want. A new study from software testing services firm uTest, which asked 600 testers from 20 countries to examine three popular shopping sites for technical, functional and security bugs, found that Target had the most reported holes (261), followed by Walmart (150) and then Amazon (94). Nine percent of the discovered flaws were classified as "showstoppers," meaning they were in need of immediate attention. — GM
Retailers need to check their list twice to ensure the proper security measures are in place.
The chairman of the PCI Security Standards Council shares his thoughts on the payment industry's 2009 successes and looks forward to what is on the horizon to ensure the protection of credit card information.
The restaurants, located in Louisiana and Mississippi, are seeking millions of dollars in damages from Georgia-based point-of-sale vendor Radiant Systems and its distributor Computer World.
Cybercriminals have already begun to ramp up their exploits in preparation for Cyber Monday, one of the busiest online shopping days of the year.
The Federal Trade Commission contends that ChoicePoint did not properly implement security improvements after its milestone 2005 data breach.
Sixty percent of IT security professionals polled in a recent study said their organization does not have sufficient resources to become PCI compliant.
TJX, which announced a then-record data breach in January 2007, has settled with the final four banks suing the discount merchant.
The organization charged with administering credit card security guidelines is offering tips to avoid "skimming" attacks.
Cybercriminals have approached data theft in a methodical way, starting at the bottom of the technology stack and working their way up to the top - the applications layer.
Though 83 percent of small businesses are familiar with the PCI DSS, just 62 are compliant, according to a recent survey.
The intent of the PCI standard is really quite simple: To safeguard the information of payment card holders as it makes its way through the network. But things get complex in execution, as the information crosses many touchpoints in the delivery infrastructure.
With the increasing number of collaborative business models, information databases and social networks, sharing and managing identity and access information has become critical.
Forty four percent of U.S. SMBs have been hit by some form of cybercrime and 10 percent were hit so bad that they had to stop production, according to a survey from Panda Security.
Updated: Web hosting firm Network Solutions on Friday announced that, despite its being PCI compliant, a breach had compromised approximately 573,928 individuals' credit card information.
Corporate and public-sector organizations are working with more business partners than ever before -- and the number will continue to grow. Outsourcing, offshoring, supply-chain management, workflow management, value chains and emerging markets: These each signal a warning to information security managers.
During a breach containment process, you may be required to call in a Qualified Incident Response Assessor to conduct a thorough investigation and forensic analysis.