Tag Archives: credit card

Breach Brief – Macy’s, Adidas

Macy’s department stores has reported a data breach of customer data. The breach affects Macy’s online customers and exposed names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates. Macy’s pointed out that it does not store credit verification values (CVV) or Social Security numbers in its online customer profiles. Macy’s has reported the data breach and exposed card numbers to payment processors Visa, MasterCard, American Express and Discover. Macy’s has not said how many customers are impacted.

According to Macy’s the breach took place between April 26 and June 12. The company reported that an “unauthorized third party” had obtained usernames and passwords and were able to log into Macy’s and subsidiary’s Bloomingdale’s shopper’s online profiles. It is not known how the hackers got the information. Macy’s reported the breach in a letter to the New Hampshire Attorney General’s Office on July 2nd.

Macy’s has frozen any customer profiles with suspicious activity until the customers change their passwords.

“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” the company said in a statement. “Macy’s, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”

 

Adidas

Adidas, maker of sportswear and equipment, issued a warning to online shoppers in the U.S. that their personal information may have been compromised as a result a suspected data breach.  Adidas first became aware of the incident on June 26 and analysts are saying that potentially millions of customers could be affected.

A preliminary investigation revealed that the hacker may have stolen customer’s contact information, usernames and encrypted passwords. Adidas does not believe any credit card or health and fitness information was compromised.

A statement on Adidas’ website read; “According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.” The company is in the process of notifying affected customers.

Breach Brief – Chili’s

Popular restaurant chain Chili’s has issued a statement reporting a data breach of its payments system. According to the statement Chili’s became aware of the breach on May 11th of this year and admitted that some customer’s payment information was compromised. The data breach is believed to impact patrons who ate at the chain between March and April of 2018.  Chili’s is owned by Dallas-based Brinker International, Inc.

The breach is believed to have been carried out by malware inserted into payment systems that gathered payment information including credit and debit card numbers as well as cardholder names. The company has not specified which of its 1,600 locations were affected by the data breach or how many customers are impacted.

Officials of the restaurant chain have contacted both law enforcement and third-party forensic experts as part of the investigation. Chili’s reports it’s trying to provide fraud resolution and credit monitoring services for affected customers and it will share more information as it becomes available. The company will notify customers affected by the breach and plan to offer free identity theft protection services through ID Expert’s MyIDCare. The company is advising customers to be vigilant for possible fraudulent charges on their credit or debit cards and for indications  of identity theft.

Brinker International also owns Italian eatery Maggiano’s which is unaffected by the breach.

Breach Brief – Panera Bread, Saks Fifth Avenue, Orbitz

Panera, a popular bakery-cafe has admitted its website was leaking a data. According to Brian Krebs of KrebsOnSecurity.com Panera allegedly failed to fix issues with its website it knew about for nearly eight months. Panera Bread has  has over 2,100 outlets nationwide. 

Cyber security researcher Dylan Houlihan notified the company of a data leak in early August 2017. Mike Gustavison, Panera director of information security was informed of the flaw and said the company “working on a resolution.” Despite this statement the flaw was not repaired. 

Data records that leaked out contain the names, email and physical addresses, birth dates and the last four digits of the credit card numbers of Panera customers. 

Only after Krebs spoke directly with Panera chief information officer John Meister was the site shut down briefly and the data secured.  The number of customers whose data may have been compromised is estimated at 37 million.

A statement from Panera Bread said; “Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

The company urges its customers to alert for any fraudulent activity in the bank or credit accounts.

Saks Fifth Avenue/Lord & Taylor

Saks Fifth Avenue and Lord & Taylor reported a data breach affecting millions of its customers.

According to the company “a well-known ring of cybercriminals” had stolen more than 5 million credit and debit card numbers from customers. According to the New York Times the cyber criminals were able to pull off this massive heist by implanting software into the cash register systems.

Although it is early in the investigation the the hack appears to have only affected card numbers and not social security or driver’s license numbers.

The majority of the affected credit cards appear to have been used at Saks and Lord & Taylor stores between May 2017 and March 2018 and only in the New York-New Jersey areas stores. 

Both Saks 5th Ave. and Lord & Taylor are owned by the Canadian company Hudson’s Bay. The company issued the following statement;“We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America. We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”

Orbitz

The popular travel booking site Orbitz announced that its legacy site, Amextravel.com, was compromised due to a data breach.  Data of  880,000 customers was compromised from January 1, 2016 through December 22, 2017.

According to the company credit or debit card information was stolen along with personal information that includes the customer’s full name, date of birth, phone number, email address, physical and/or billing address and gender.  

Orbitz plans to notify all customers who’s information may have been compromised and  is providing potential victims a free year of credit monitoring services. Customers can contact Orbitz for the free service either online or by calling 855-828-3959 toll-free. 

 

Breach Brief – InterContinental Hotels

InterContinental Hotels Group announced today that its hotel chain has been hit by malware resulting in a massive data breach. The hotel chain was infected by malware in its payments systems. The malware was designed to collect guest’s credit card data including name, card numbers, expiration dates and security codes. According to a hotel spokesperson, “Approximately 1,200 IHG-branded franchise hotel locations in the Americas were affected.”

According to KrebsOnSecurity.com the number may even be higher. The website originally reported the data breach in December. Krebs reports that IHG has not yet inspected all its properties some of which are franchises. IHG has been reaching out to franchised properties asking them participate in the investigation.

The data breach began in September 2016 and continued through to the end of December of last year. According to IHG there is no indication the malware was active after December 29th. However, it cannot verify that all the malware was removed until March.

To add insult to injury the hotel chain does not know how many customer were affected nor is it offering any help to those customers. The company is only saying that guests should “remain vigilant to the possibility of fraud” and urged customers to review their card statements.

In an email to TheVerge.com IHG stated that its investigation was ongoing and a “small percentage” of franchises haven’t participated. IHG says it has 3,925 hotels in the Americas. IHG owns the following hotel chains in the U.S.

If you have stayed in any of these hotels since September of last year there is a website where you can check to see if that hotel was affected. IHG plans to add additional locations to the list when its investigation is completed.

Breach Brief – Verifone

Verifonethe largest maker of payment terminals, reported it is investigating a data breach of its systems. The company provides terminals and services to merchants that allow consumers to swipe credit and debit card. The terminals can be found at a variety of businesses, including retailers, taxis, and gas stations. Verifone claims the hack was contained to its corporate networks.

An urgent email was sent to all company employees and contractors on January 23rd. The email warned them to change their company passwords within 24 hours. Employees were also notified that installing software of any kind on company computers and laptops was no longer permitted. Verifone has not said what or how much data was possibly compromised or when the breach occured.

Verifone was notified by credit card providers Visa and Mastercard a few days prior to Verifone’s employee alert. 

According to Verifone about two dozen point-of-sale payment systems at gas stations were targeted. However the situation could be more serious. Experts say that such small intrusions into payment systems are a precursor to larger attacks. Cyber criminals may have learned enough about Verifone to attack the payment systems at a later date. Sometimes months or years later. This leaves many consumers open to being victimized. 

The company operates in 150 countries and employs 5,000 people. 

Breach Brief – U.S. Navy, Madison Square Garden

us-navy-logoThe United States Navy announced on Wednesday that hackers have gained access to sensitive personal information of more that 130,000 current and former sailors. The information lost includes names and social security numbers.

According to Navy officials the information was contained on the laptop computer belonging to Hewlett Packard Enterprise Services a Navy contractor. The firm first notified the Navy on October 27.

Chief of Naval Personnel Vice Admiral Robert Burke issued a statement saying; “The Navy takes this incident extremely seriously. This is a matter of trust for our sailors.” He then went on to add that the investigation is still in its “early stages.”

The Navy is reacting by following all required procedures to notify and protect sailors affected by the breach.  Officials stated that additional information on the breach would be provided to affected sailors as it becomes available. Sailors will also receive credit monitoring service options in the future. The Navy insisted;  “There is no evidence to suggest misuse of the information that was compromised.”

This is the second major loss of Navy data involving Hewlett-Packard. According to the Navy Times HP reported to the Navy in 2013 that Iranian hackers compromised the unclassified Navy and Marine Corps Intranet.  Navy Times reported the personal data came from the Career Waypoints database, known as C-WAY, which sailors use to submit re-enlistment and Navy Occupational Specialty requests.

msgThe iconic Madison Square Garden Company reported malware in its payments systems has been capturing payment-card data for more than a year.

On Tuesday MSG warned customers the breach had exposed customer data found on magnetic strips of credit cards. Data collected included card numbers, cardholder names, expiration dates, and internal verification codes.

Madison Square Garden properties affected include the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater. MSG has not announced how many cards are compromised but millions of people visit the properties annually.

Lenny App Introduces Credit to Millennials

Joe-Bayen

Lenny Founder Joe Bayen

Lenny is a new financial app that will offer credit lines of up to $10,000 to millennials and report their payment activity to credit bureaus to build their credit history.  A millennial is considered a person who reached adulthood around the year 2000.

Lenny is designed to modernize credit for millennials.  As a demographic millennials lack credit and that impacts major purchases such a cars and homes. According to Lenny 49 percent of millennials don’t have a credit card and 43 percent  hold credit scores below 600. The Lenny app seeks to empowers young adults to take control of their finances through credit lines, peer-to-peer payments and credit-score education.

According to the Wall Street Journal the average U.S. college student leaves school $35,000 in debt. These graduates are in desperate need of help to secure loans and find solid financial advice. Many millennials are entering the job market financially handicapped with little or no knowledge of how the credit score system works. Lenny offers a way to fix this situation by offering financial tools and education through its blog.

But there is another factor that come into play. Many millennials are rejecting credit or at least credit cards. According to a survey conducted by Bankrate 63 percent of people between the ages of 18-29 years old have no credit card. 

Another interesting fact from an April 2014 Gallup poll revealed that Americans’ reliance on credit cards, in general, has declined steadily since the Great Recession. Additionally, it is tougher to get a credit card thanks to the the Credit Card Accountability, Responsibility and Disclosure Act of 2009, or CARD Act, made it harder for anyone under 21 to get a credit card.

Lenny founder Joe Bayen admits to his own credit problems while he was in college. Bayen used a credit card to purchase a car while in college resulting in a poor credit score. Now that he has recovered from that experience Bayen seeks to prevent other students from making the same mistake.

To use Lenny millennials simply download the app and set up a Lenny account. By signing up they can apply for an initial credit line from as little as $100 up to $10,000 with zero percent interest  if they make the payments on time. Rates increase from as low as 4 percent rising to an average of 9.8 percent interest when payments are not made in full. Lenny uses a credit decision algorithm to determine an individual’s credit score. After a credit line has been approved, users can move the money to their personal bank accounts or instantly pay their friends using the peer-to-peer payment function. When re-payments are made on time, users’ credit limits can increase by up to $1000 a quarter.

“Lenny is building a one-stop shop organization that serves the financial needs of a generation,” said CEO and co-founder Joe Bayen. “We help individuals improve their credit scores by informing major credit bureaus when payments are made on time. Your improved credit score can then be used to rent a house without needing a cosigner, help secure great credit cards, and more.”

Breach Brief – Wendy’s

Wendy's_logo_2012.svgIt seems that the Wendy’s data breach was worse than thought. The AACR first reported the data breach in January.  Now we are seeing the real damage. Wendy’s has admitted that the data breach was first suspected of affecting only a few hundred of its restaurants. Now the truth comes out and the number is over 1,000.

Wendy’s has released a searchable list of all the restaurants affected by the breach.

Originally Wendy’s believed that only 300 of its 5,700 franchises were breached. Wendy’s notified its customers and the public in February of the breach when it discovered evidence of malware in its POS systems.

Wendy’s has issued the following statement regarding the expanding breach.

“Based on the facts known to Wendy’s at this time, the additional malware targeted the following payment card data: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. Please note that the cardholder verification value that may have been put at risk is not the three or four-digit value that is printed on the back or front of cards, which is sometimes used in online transactions.”

After detecting the presence of the malware Wendy’s claimed to have disabled it. Wendy’s believes that the malware attack first took place in the fall of 2015. Wendy’s also believes that it detected evidence of at least two separate malware attacks on its systems.

Customers of the fast food chain affected by the breach will receive are a year’s worth of “identity consultation” from Kroll Identity Theft Restoration if necessary. According Wendy’s “an experienced licensed investigator will work on your behalf to resolve related issues.