Data Breach at Madison Square Garden.

  It was revealed recently that the Madison Square Garden Company (MSGC) has suffered a data breach at five of its venues. In a statement, the company wrote that it has notified customers that an investigation found “external unauthorized access to MSG’s payment processing system” at Madison Square Garden, the Theatre at Madison Square Garden, Radio City Music Hall, Beacon Theatre, and the Chicago Theatre in the past year. The data breach appears to have originated through compromised ‘swipe card’ machines, the older version of PED (Pin Entry Devices)  – as the use of ‘Chip and Pin’ is still not widespread in the United States. According to the MSGC statement “Data contained in the magnetic stripe on the back of payment cards swiped in person to purchase merchandise and food and beverage items at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater between November 9, 2015 and October 24, 2016 may have been affected, including credit card numbers, cardholder names, expiration dates and internal verification codes. Not all cards used during this time frame were affected. This incident did not involve cards used on MSG websites, at the venues’ Box Offices, or on Ticketmaster.” That’s nearly a year before the compromise was detected, and during that period those venues hosted hundreds of  concerts and sporting events. Madison Square Garden alone held three Kanye West ‘events’, six sell-out concerts by Adele, two Radiohead concerts, and a long term residency by Billy Joel. And every card used to purchase merchandise, hot dogs or popcorn at those events might be compromised. It’s easy, here in...

Three Mobile Data Breach

It was announced this morning that three men had been arrested for a data breach at Three Mobile. The men were thought to have accessed a Customer Database at Three Mobile using ‘authorised logins’. This was not an external attack. Once in the database the perpetrators identified customers who were eligible for handset upgrades, ordered eight ‘high value handsets’ and then intercepted them prior to delivery. Dave Dyson, Three’s CEO said “I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.”  Dave Dyson’s full statement can be found here. As well as the intercepted upgrades a further 400 ‘high value handsets’ have been stolen through burglaries – presumably targeted by the compromised Customer Data. Given that the iPhone 7 starts at £600, then 400 of those represents a potential loss of a quarter of a million pounds. Less than the cost of recent Tesco Bank breach, but hardly loose change. It’s not clear when the data was fraudulently accessed, or whether it was extracted and subsequently sold on. Customer data could be used for ‘credential stuffing’ and future identity theft – as we described here after the data breach that O2 reported this summer. Three claims to have strengthened its data controls, but Three customers should exercise caution, and consider changing their Three password, and the password on any other sites where they might reuse the password. Obviously it’s best practice...

Every Little Helps – Tesco Bank Data Breach

It’s been very quiet on the data breach front of late; that’s not to say that data breaches aren’t occurring, simply that the breaches haven’t been detected. As  Eva Velasquez, president and CEO of America’s  Identity Theft Resource Center has said: “There are two kinds of consumers — those who know they’ve been breached, and those who don’t,”. According the the BBC News website (here) today (November 9th) there are around 9,000 more UK consumers who have learned first hand about data breaches; they’re the customers of Tesco Bank who have had funds illegally taken from their current accounts.That’s down from the initial estimates of 20,000 compromised accounts, and Tesco say that they’ve refunded £2.5m to customers whose accounts siphoned. Another 20,000 accounts are reported to have been compromised; that’s 29,000 of around 136,000 current accounts operated by Tesco Bank – around 21% of current accounts compromised. Obviously this is embarrassing for Tesco Bank, but to their credit they locked their systems down before the second tranche of accounts were exploited, despite the fraudulent transactions taking place ‘out of hours’ when bank offices are likely to be understaffed. Customers have reported the theft of amounts between twenty and six hundred pounds. At the time of writing the vector for the attack has yet to be identified, but the scale of the breach – both in terms of numbers and geography – suggests that the bank details had been harvested from a database rather than from individual transactions – such as card skimmers on cashpoints. Speculation in the media on Tuesday November 8th (here) suggested the fraud may have originated...

Indian Debit Cards Compromised

While we at Compliance3 continue to work with companies in the UK and Europe to ‘take risk off the table’ by taking card data out of their data environments, criminals continue to probe other markets to find potential chinks in the armour of payment card security. The latest data breach to come to our attention – it may not have registered on your radar – is on the Indian sub-continent. The BBC ran a story last week (here) that suggested that  “fears that the security of more than 3.2 million debit cards has been compromised”. The compromise appears to have emanated from an ATM network infected with malware. Okay, so 3.2 million cards only represents half of one per cent of all cards issued in India (there are some 700 million debit cards issued in India); and to date fraudulent transactions have only totalled around $195,000 (13 million rupees) – mainly in China and the US – but that’s still a lot of cards at risk, and potential damage to India’s newly emerging card based economy. Indian banks are struggling to get cashless transactions accepted; with only 10 digital transactions per head per annum, compared to around 260 per head per annum in the UK; and data compromises like this will not help foster trust. Shaktikanta Das, the Department of Economic Affairs Secretary of the Indian Government said “There is no cause for alarm. The integrity of IT system of banks is robust and whatever action is required, the government will take promptly,” Mohit Bahl Head of Forensic Services at KPMG India suggested that while “Indian Banks have cyber...

GDPR – Four Hundred Days

While much of the country continues to debate the ramifications of June’s ‘Brexit’ vote, there are some pieces of European legislation that will remain in force post ‘Brexit’. Key among these is the upcoming  General Data Protection Regulation (GDPR). GDPR is the proposed wholesale reform of the data protection and data privacy laws across the EU. Many of these are no longer fit for purpose; the UK’s Data Protection Act came into force in 1998 – that’s six years before the launch of FaceBook and eight years before Twitter. The implications of Brexit are that UK companies wishing to deal with EU citizens and organisations would be required to adopt ‘adequate’ data protections – at least as stringent as GDPR. And the clock is ticking, GDPR comes into force on the 25th May, 2018. That’s just four hundred working days from today – October 17th 2016. There’s much for organisations to do, but understanding the implications is always a good start. Compliance3 has partnered with New Leaf, and we believe that together we can provide what we consider the “Gold Standard” in preparing companies for GDPR or its equivalent. We’ve produced a Briefing Note that can be downloaded from our ‘Resources’ section, or from here. Take a look and get in touch, we can help your GDPR...

Two interesting news stories

Yesterday (October 5th) saw two interesting news reports, one made headlines, the other didn’t. The first report was the fine of £400,000 imposed on Talk Talk following their data breach last October, we first reported on it here. The fine, the largest imposed by the Information Commissioners Office (ICO)  was slightly less than the maximum that they could have levied, and is small change compared to the £42million – and the loss of 101,000 customers –  that Talk Talk admit that the breach has so far cost them. The ICO’s full announcement is here and states that name and address, telephone number and email addresses of 156,656 Talk Talk customers were accessed. Also that some 10% of those customer details included bank sort codes and account numbers. The stolen data was stored on a database of customers that joined Talk Talk when, in 2009, it acquired the UK operations of Tiscali. The data was accessed by using the relatively simple technique of SQL Injection into a web page. Talk Talk had already suffered two similar cyber attacks in 2015 that should have highlighted system vulnerabilities. The Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.” “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.” While it was initially thought that the data breach had been committed by cyber terrorists, six people – all under 21 – have been...