The holiday buying season is upon us once again. Another event that has arrived along with the buying season is the season of big box retailer data breaches.
A year ago, the Target breach made national headlines, followed shortly thereafter by a breach at Home Depot. Both breaches got a lot of attention, primarily because the number of bank cards affected was so high—more than 70 million debit and credit card numbers exposed in the case of Target and 56 million exposed at Home Depot.
Luckily, very little fraudulent activity occurred on the stolen card numbers, primarily because the breaches were caught fairly soon, making them relatively minor incidents in the scheme of things, compared with other breaches that have occurred over the years that resulted in losses of millions of dollars. The Target breach was notable for one other reason, however: when it came to security, the company did many things right, such as encrypting its card data and installing a multi-million-dollar state-of-the-art monitoring system not long before the breach occurred. But although the system worked exactly as designed, detecting and alerting workers when it appeared that sensitive data was being exfiltrated from its network, workers failed to act on these alerts to prevent data from being stolen.
Below, we look back on a decade of notable breaches, many of which happened despite the establishment of Payment Card Industry security standards that are supposed to protect cardholder data and lessen the chance that it will be stolen or be useful to criminals even when it’s nabbed.
The PCI security standard (.pdf) which went into effect in 2005, is a list of requirements — such as installing a firewall and anti-virus software, changing vendor default passwords, encrypting data in transit (but only if it crosses a public network) — that companies processing credit or debit card payments are required by card companies to have in place. Companies are required to obtain regular third-party security audits from an approved assessor to certify ongoing compliance. But nearly every company that was victim to a card breach was certified as compliant to the PCI security standard at the time of the breach, only to be found noncompliant in a post-breach assessment.
10. CardSystems Solutions – 40 million cards: CardSystems Solutions, a now-defunct card processing company in Arizona, holds the distinction of being the first major business to be breached following the passage of California’s breach notification law in 2002 — the first law in the nation requiring businesses to tell customers when their sensitive data has been stolen. The intruders placed a malicious script on the company’s network that was designed to sniff for card transaction data, resulting in the names, card numbers and security codes of some 40 million debit and credit cards being exposed to the hackers. CardSystems was storing unencrypted transaction data, after transactions were completed, in violation of the PCI security standard. The company was certified PCI compliant in June 2004 and discovered it had been breached in May 2005.
9. TJX – 94 million cards TJX was just one of more than a dozen retailers hacked by Albert Gonzalez and a team of cohorts, including two Russian hackers. They breached the TJX network in 2007 through war-dialing — a practice that involves driving by businesses and offices with an antenna hooked to a laptop with special software to suss out wireless networks. From TJX’s wireless network, they burrowed their way into the company’s card processing network, which was transmitting card data unencrypted. The initial breach occurred in July 2005 but wasn’t discovered until December 2006. Additional breaches occurred later in 2005, 2006 and even in mid-January 2007, after the initial had been discovered. The breach cost the company about $256 million.
8. Heartland Payment Systems – 130 million cards Albert Gonzalez earned his moniker as the TJX hacker, but the penultimate breach attributed to him and his Russian hacker gang was Heartland Payment Systems — a card processing company in New Jersey. The hack operation began small — focusing on TJX and other end retailers where customer card data was first collected. But they quickly realized the real gold was held by the card processors that aggregated millions of cards from multiple businesses before routing the card data to banks to be verified. Heartland was the Fort Know of processors with 250,000 businesses processing about 100 million card transactions through them each month. The company learned in October 2008 that it might have been hacked, but it took nearly three months to confirm the breach. The attackers had installed a sniffer in an unallocated portion of a Heartland server and eluded forensic investigators for months. Heartland had been certified compliant six times before the breach, including in April 2008. The breach began the next month, but wasn’t discovered until January 2009. It cost the company more than $130 million in fines, legal expenses and other costs, though the company recovered some of this through insurance.
7. RBS WorldPay – 1.5 million cards: The RBS hack isn’t significant for the number of cards affected — the hackers used only a small number of cards at their disposal for their heist — but for the amount of money they stole using the cards. This wasn’t a traditional retailer or card processing hack. RBS WorldPay is the payment-processing arm of the Royal Bank of Scotland and provides a number of electronic payment processing services, including electronic benefits transfer payments and prepaid cards, such as payroll cards — offered by some employers as a paperless alternative to paychecks. It discovered in November 2008 that intruders had accessed account details for 100 payroll cards and raised the balance on the compromised cards as well as their daily withdrawal limits. In some case, they raised the withdrawal limit to $500,000. They distributed the card details to an army of cashers who embedded the data onto blank cards. In a global coordinated heist, the cashers then hit more than 2,000 ATMs with the fraudulent cards, netting about $9.5 million in less than 12 hours.
6. Barnes and Noble – unknown This breach made the list for the first major operation involving point-of-sale terminals, though more than a year after the hack, Barnes and Noble has still provided no details about the breach or the number of cards affected. All that’s known is that the FBI began investigating the incident in September 2012. The skimming software was discovered on point-of-sale devices in 63 Barnes and Noble stores in nine states, though only one POS device in each store was affected. It’s not known how the skimmer was placed on the devices.
5. Canadian Carding Ring The Barnes and Noble heist was reminiscent of a Canadian operation that occurred months earlier and involved tampering with POS terminals in order to steal more than $7 million. Police said the group, based out of Montreal, operated in a coordinated fashion with military precision, doling out cloned cards to runners in lock boxes. One part of the gang was responsible for installing skimming devices on ATMs and for seizing point-of-sale machines (POS) from restaurants and retailers in order to install sniffers on them before returning them to the businesses. Police said the thieves took the POS machines to cars, vans and hotel rooms, where technicians hacked into the processors and rigged them so that card data could be siphoned from them remotely using Bluetooth. The modifications took only about an hour to accomplish, after which the devices were returned to the businesses before they re-opened the next day. The ring is believed to have had inside help from employees who took bribes to look the other way.
4. Unknown Card Processor in India and U.S. – unknown In a heist that was similar to the RBS WorldPay breach, hackers broke into unnamed card processing companies in India and the U.S. that handled pre-paid card accounts. They increased the limits on the accounts and handed off the details to cashers who drained more than $45 million from ATMs around the world.
3. Cisero’s Ristorante and Nightclub – Unknown: It’s unknown whether Cisero’s was actually ever breached or, if it was, how many cards were stolen. But those aren’t why Cisero’s made our list. The small, family-run restaurant in Park City, Utah made the list because it took on a David and Goliath battle against the card payment industry for unfair fines for a breach that has never been proven occurred. In March 2008, Visa notified U.S. Bank that Cisero’s network might have been compromised after cards used at the restaurant were used for fraudulent transactions elsewhere. U.S. Bank, and its affiliate Elavon, processed bank card transactions for Cisero’s. The restaurant hired two firms to conduct a forensic investigation, but neither found any evidence that a breach occurred or that payment card data of any kind was stolen. The audits, however, did find that the point-of-sale system the restaurant used stored unencrypted customer account numbers, in violation of the PCI standard. Visa and MasterCard imposed fines of about $99,000 on U.S. Bank and Elavon since, under the PCI system, the banks and card processors that process transactions for merchants are fined, not the merchants and retailers themselves. U.S. Bank and Elavon then seized about $10,000 from the restaurant’s U.S. Bank bank account before the restaurant owners closed the account and sued.
2. Global Payments Inc – 1.5 million This Atlanta-based payments processor claimed it was breached sometime in January or February 2012. But in April 2012, Visa warned issuers that the breach likely dated back to 2011 and might have affected transactions going back to June 7, 2011. Little is known about the breach. In an April 2012 conference call with investors, CEO Paul R. Garcia told listeners that the breach had been limited to a “handful of servers” in its North American processing system and that no fraudulent activity had been seen on any of the cards. Unlike most breaches that are only discovered months after the intrusion and generally only after Visa, MasterCard and other members of the card industry notice a pattern of fraudulent activity on accounts, Garcia claimed his company discovered the breach on its own. “We had security measures in place that caught it,” he said. He acknowledged, however, that while the company’s loss-prevention software spotted data being exfiltrated from the company’s servers, it hadn’t prevented the data from going out in the first place. “So partly it worked and partly it didn’t,” he told investors. He said the company would be investing in additional security. The breach cost the company an estimated $94 million; $36 million of this was for fines and fraud losses and about $60 million was for investigation and remediation.
1. The Next Big Breach: Like death and taxes, the next big card breach is an assured thing.