by Bob | Nov 24, 2016 | Views
It was revealed recently that the Madison Square Garden Company (MSGC) has suffered a data breach at five of its venues. In a statement, the company wrote that it has notified customers that an investigation found “external unauthorized access to MSG’s payment processing system” at Madison Square Garden, the Theatre at Madison Square Garden, Radio City Music Hall, Beacon Theatre, and the Chicago Theatre in the past year. The data breach appears to have originated through compromised ‘swipe card’ machines, the older version of PED (Pin Entry Devices) – as the use of ‘Chip and Pin’ is still not widespread in the United States. According to the MSGC statement “Data contained in the magnetic stripe on the back of payment cards swiped in person to purchase merchandise and food and beverage items at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater between November 9, 2015 and October 24, 2016 may have been affected, including credit card numbers, cardholder names, expiration dates and internal verification codes. Not all cards used during this time frame were affected. This incident did not involve cards used on MSG websites, at the venues’ Box Offices, or on Ticketmaster.” That’s nearly a year before the compromise was detected, and during that period those venues hosted hundreds of concerts and sporting events. Madison Square Garden alone held three Kanye West ‘events’, six sell-out concerts by Adele, two Radiohead concerts, and a long term residency by Billy Joel. And every card used to purchase merchandise, hot dogs or popcorn at those events might be compromised. It’s easy, here in...
by Bob | Nov 18, 2016 | Views
It was announced this morning that three men had been arrested for a data breach at Three Mobile. The men were thought to have accessed a Customer Database at Three Mobile using ‘authorised logins’. This was not an external attack. Once in the database the perpetrators identified customers who were eligible for handset upgrades, ordered eight ‘high value handsets’ and then intercepted them prior to delivery. Dave Dyson, Three’s CEO said “I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.” Dave Dyson’s full statement can be found here. As well as the intercepted upgrades a further 400 ‘high value handsets’ have been stolen through burglaries – presumably targeted by the compromised Customer Data. Given that the iPhone 7 starts at £600, then 400 of those represents a potential loss of a quarter of a million pounds. Less than the cost of recent Tesco Bank breach, but hardly loose change. It’s not clear when the data was fraudulently accessed, or whether it was extracted and subsequently sold on. Customer data could be used for ‘credential stuffing’ and future identity theft – as we described here after the data breach that O2 reported this summer. Three claims to have strengthened its data controls, but Three customers should exercise caution, and consider changing their Three password, and the password on any other sites where they might reuse the password. Obviously it’s best practice...
by Bob | Nov 7, 2016 | Views
It’s been very quiet on the data breach front of late; that’s not to say that data breaches aren’t occurring, simply that the breaches haven’t been detected. As Eva Velasquez, president and CEO of America’s Identity Theft Resource Center has said: “There are two kinds of consumers — those who know they’ve been breached, and those who don’t,”. According the the BBC News website (here) today (November 9th) there are around 9,000 more UK consumers who have learned first hand about data breaches; they’re the customers of Tesco Bank who have had funds illegally taken from their current accounts.That’s down from the initial estimates of 20,000 compromised accounts, and Tesco say that they’ve refunded £2.5m to customers whose accounts siphoned. Another 20,000 accounts are reported to have been compromised; that’s 29,000 of around 136,000 current accounts operated by Tesco Bank – around 21% of current accounts compromised. Obviously this is embarrassing for Tesco Bank, but to their credit they locked their systems down before the second tranche of accounts were exploited, despite the fraudulent transactions taking place ‘out of hours’ when bank offices are likely to be understaffed. Customers have reported the theft of amounts between twenty and six hundred pounds. At the time of writing the vector for the attack has yet to be identified, but the scale of the breach – both in terms of numbers and geography – suggests that the bank details had been harvested from a database rather than from individual transactions – such as card skimmers on cashpoints. Speculation in the media on Tuesday November 8th (here) suggested the fraud may have originated...
by Bob | Oct 23, 2016 | Views
While we at Compliance3 continue to work with companies in the UK and Europe to ‘take risk off the table’ by taking card data out of their data environments, criminals continue to probe other markets to find potential chinks in the armour of payment card security. The latest data breach to come to our attention – it may not have registered on your radar – is on the Indian sub-continent. The BBC ran a story last week (here) that suggested that “fears that the security of more than 3.2 million debit cards has been compromised”. The compromise appears to have emanated from an ATM network infected with malware. Okay, so 3.2 million cards only represents half of one per cent of all cards issued in India (there are some 700 million debit cards issued in India); and to date fraudulent transactions have only totalled around $195,000 (13 million rupees) – mainly in China and the US – but that’s still a lot of cards at risk, and potential damage to India’s newly emerging card based economy. Indian banks are struggling to get cashless transactions accepted; with only 10 digital transactions per head per annum, compared to around 260 per head per annum in the UK; and data compromises like this will not help foster trust. Shaktikanta Das, the Department of Economic Affairs Secretary of the Indian Government said “There is no cause for alarm. The integrity of IT system of banks is robust and whatever action is required, the government will take promptly,” Mohit Bahl Head of Forensic Services at KPMG India suggested that while “Indian Banks have cyber...
by Bob | Sep 23, 2016 | Views
YAHOO! today confirmed that the personal details of ‘up to 500 million users’ may have been stolen, back in 2014, by a data breach that Yahoo believes initiated by “state-sponsored actor”. That’s a stunning data breach, potentially compromising one in fifteen people worldwide. Rumours of the breach started back in August when a hacker called ‘Peace’ claimed to be selling data from 200 million Yahoo clients. At that time Yahoo dismissed the claims, saying that the data probably related to a 2012 data breach when a mere 400,000 of its user accounts were compromised. In 2012 Yahoo said “At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.” The timing of the announcement of this breach couldn’t be worse for Yahoo!, as they negotiate sale of their core business to Verizon for $4.8 billion. Nordic cybersecurity expert Per Thorsheim – who broke the news of the 2012 LinkedIn data breach – described the latest Yahoo! data breach as “massive” adding “It will cause ripples online for years to come.” Perhaps more telling are the comments from U.S. Senator Richard Blumenthal who is calling for tougher legislation to “make sure companies are properly and promptly notifying consumers when their data has been compromised.” Senator Blumenthal said in a statement “If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust.” Yahoo! Were at pains to point out that no payment card data was compromised...
