Data Security Breaches at Retailers

Security breaches and identity theft are becoming an increasing concern for consumers as hackers continue to target large retailers. Target, Sally Beauty Supply, Neiman Marcus, Home Depot, Michaels, Dairy Queen and Kmart are among retailers recently hacked. These incidents have resulted in stolen personal information such as phone numbers, addresses, emails, and credit card information. As a result of these breaches, affected consumers are more likely to fall victim to identify theft.

The following is a summary of retailers who recently suffered a data breach. Reports suspect hackers were able to infiltrate these stores by installing malware on their point-of-sale systems. Information was then stolen when credit cards were swiped at the store during checkout. The data stored on the magnetic strip of the credit cards, such as the number and expiration date, was then used to make replicas and sold on the black market.

Target

Target’s security breach occurred late in 2013. Reports concluded that 110 million people were victims of stolen personal information due to the breach. Credit card numbers, names, addresses, phone numbers, and emails were included in the theft.

Sally Beauty Supply

Sally Beauty Supply detected a breach in February of 2014. During this hack, nearly 25,000 customer’s credit card information was stolen, including the 3 digit CVV numbers.

Neiman Marcus

Hackers began infiltrating Neiman Marcus as early as July of 2013, and were not stopped until January of 2014. Neiman Marcus reported that up to 1.2 million credit and debit card users were potentially affected by the security breach.

Home Depot

In September 2014, Home Depot confirmed that they were the latest victims of a data breach. Home Depot began investigating transactions from April of 2014 through September. The scope of the breach is still being verified. At this time, debit PIN numbers are not expected to have been compromised, just credit card numbers. It is highly likely that Home Depot was hacked by the same malware that breached Target’s systems in 2013.

Home Depot has confirmed that brick and mortar stores in the United States and Canada are affected. There is no evidence that the stores in Mexico and transactions through HomeDepot.com have been affected.

The size of the breach appears to be more than Target’s data breach that occurred late in 2013. Target’s breach cost the company an estimated 148 million dollars. The Home Depot breach is expected to have affected more than Target’s breach, which included at least 40 million credit cards and 70 million other parts of customer data.

Michaels Stores

In January of 2014, Michaels Stores suffered a data breach. The attack occurred between May 2013 and January 2014. Roughly 3 million customers were subject to theft. During the attack, hackers stole credit and debit card numbers, as well as expiration dates. Luckily, PIN numbers and card holder’s names were not suspected to have been compromised.

Dairy Queen

Dairy Queen released in October of 2014 that they were hit with a security breach. Malware on the registers stole customer’s credit card data from 395 different Dairy Queen Locations. There is no evidence that PIN numbers, social security numbers or email addresses were compromised. However, credit card numbers, expiration dates and customer names were exposed during this breach.

Kmart

On October 9, 2014, Kmart discovered that they had suffered from a security breach. No personal information such as social security numbers or PIN numbers are suspected to have been stolen. Credit and debit card numbers were the target of this particular breach.

Comparison of Security Breaches

Company Duration
People Affected Info. Stolen
Home Depot April 2014 – Sept. 2014 56 Million Card numbers
Target Nov. 27 – Dec. 2013 110 Million Card numbers, names, addresses, phone numbers and emails
Sally Beauty Supply Feb. – March 2014 25,000 Names, card numbers, and CVVcodes
Neiman Marcus July 2013 – Jan. 2014 1.2 Million Card numbers
Michaels Stores May 2013 – Jan. 2014 3 Million Card numbers
Dairy Queen Aug. 2014 – Sept. 2014 TBD Card numbers, names and expiration dates
Kmart Sept. 2014 – Oct. 2014 TBD Card numbers

How Consumers Can Protect Themselves from Hackers

Leading security experts recommend that consumers take the following steps to help protect themselves:

  • Check your credit card statements online daily. Regularly monitoring your account will minimize damages because fraudulent activity is more quickly identified.
  • If you become nervous or concerned that your information was stolen then get a new card. It is better to be safe than sorry.
  • Use your credit card as opposed to your debit card as much as possible. It is safer to use a credit card because it is not attached to your bank account and offers additional protection.
  • Invest in a credit monitoring service. Many are available for free to affected customers. These services are helpful because they will notify you when there is suspicious activity or if someone is trying to open a credit card in your name.
  • If you notice suspicious activity, call the credit card company immediately. The phone number is usually listed on the back of the card.

The breaches at Target, Sally Beauty Supply, Neiman Marcus, Home Depot, Michaels, Dairy Queen and Kmart are proof that even large retailers can be vulnerable to hackers. Unfortunately, it is impossible to forecast a data breach at any of your favorite stores. The bottom line is, security breaches will always be a threat. If you follow the steps to protecting yourself then  you can lessen your chances of becoming a victim.

Recent indictments reveal debit card fraud techniques

On May 9, 2013, Federal prosecutors issued indictments against eight individuals for hacking and theft.  The case revealed the methods used by hackers to gain access to debit card numbers that were ultimately used to withdraw $45 million.

Hackers gained unauthorized access to credit card processing companies and conducted what hackers term “unlimited operation”.  Unlimited operation is an attack where debit cards account balances and withdrawal limits are removed.  In this case, attackers performed unlimited operation on several prepaid MasterCard debit cards and then distributed the card numbers and pins to groups around the world.  These groups recoded gift cards and hotel entry cards with the stolen card numbers and then coordinated withdrawals from ATMs.

We have spoken of the increase in the coordination of cyber-attacks many times, and this is an excellent example.  In a little over two hours on December 22, 2012, the criminals were able to withdraw $400,000 from 140 ATMs across New York City.  A series of thefts in February resulted in the theft of almost $2.4 million in 10 hours, and the group is accused of stealing a total of $45 million by following this procedure for different card issuers and locations.

The banks involved in this case might have prevented the theft by monitoring for anomalous behavior such as the excessive use of a card number or the modifications required in unlimited operation attacks.  Anomalous behavior monitoring is valuable no matter where the next attack comes from, and it is useful in other industries as well.

Dexter malware threatens data breaches on point of sale equipment

Security researchers have identified a new malware called Dexter that specifically targets Point of Sale (POS) systems such as cash registers and scanning stations to obtain credit card numbers.  As of December 12, 2012, Dexter had infected systems in 40 different countries with the majority of infected systems residing in North America and the United Kingdom.  The malware infected machines a few months ago, just in time to steal data from many of the holiday shoppers.

Dexter steals credit card data by recording downloaded files from the POS device and retrieving information from memory.  More specifically, it looks for Track 1 or Track 2 data which is read by most POS devices and contains the account holder name, account number and security code for a credit card.  The malware stores the data and sends it in batches every five minutes to the malware operator who can then use it to make false purchases or clone credit cards.

Malware researchers are still trying to determine how Dexter is infecting POS systems but POS owners are not defenseless.  They can protect themselves from the malware by using devices that encrypt the credit card data from the point at which the card is scanned through the processing stage in what is known as Point-to-Point Encryption (P2PE).  P2PE encrypts the data before it is placed in memory and Dexter is currently unable to decrypt the data so P2PE effectively stops Dexter from harvesting credit card numbers on the POS device.

Fraud Alert: Oscar’s Exotic Fish

Last month my fish tank sprung a leak. I have a 75 gallon bow front aquarium so it made quite a mess. I managed to save most of the fish; praise the Lord! When the water settled and my floor was mopped, I began looking for a fish tank that would not break a seal like that. I decided to get an acrylic aquarium without seals to break. The only mistake I made was in my choice of stores. Oscar’s Exotic Fish had the lowest price on the net but the worst service. I ordered my aquarium on November 22 but by December 17, my aquarium still had not arrived. My fish had been living in a quarantine tank for weeks and I was seriously concerned for their health. In the mean time, I received my credit card bill to find that Oscar had billed me three times for an aquarium that never arrived. I tried contacting Oscar right away. First I emailed him and then called him. I called him every day for a few days without a response. I finally called my credit card and disputed the three payments. I will not tolerate that kind of service. Oscar, you should be ashamed of yourself.

So how does the story end? I ordered a different tank from Truly the Best and I am currently waiting for it to arrive. I emailed them before placing the order and they verified that it will arrive in 14 to 21 days. It is quite a beauty of a tank. It is a 90 gallon SeaClear System 2. It is all acrylic and it has a built in wet/dry biological filtration system built into the back of the aquarium. The tank has a 350gph submersible pump so it is very quiet and the bio balls should keep the tank water very clean. I will put my 200W compact lighting on top of it. I am so excited.

Fishtank9 Fishtank8 Fishtank7 Fishtank6 Fishtank5 Fishtank4 Fishtank3 Fishtank2 Fishtank1

[Edit] The tank arrived last week and I got it all conditioned. The fish were moved over yesterday. Here are some pictures. The tank looks great and the fish love it.