Breach Hits Card Processor Global Payments

  • The Wall Street Journal

ROBIN SIDEL And ANDREW R. JOHNSON

Global Payments Inc., which processes credit cards and debit cards for banks and merchants, has been hit by a security breach that has put some 50,000 cardholders at risk, according to people with knowledge of the situation.

The full extent of the breach couldn’t be determined, one of the people said. It wasn’t immediately clear if cardholders have been hit by fraudulent transactions.

Representatives of Global Payments, based in Atlanta, couldn’t be reached for comment.

Global Payments is a large so-called third-party processors of payment cards, including debit cards, credit cards, and gift cards.

The news comes as MasterCard Inc. and Visa Inc. have been alerting their card-issuing bank customers about the potential breach. It wasn’t immediately known if the banks are planning to reissue cards to their customers.

The breach was reported earlier Friday by the Krebs On Security blog.

MasterCard, of Purchase, N.Y., said law enforcement has been notified of the matter and an “independent data security organization” is conducting a forensic review of the matter.

[mcard0330]Bloomberg News

Read More

“MasterCard’s own systems have not been compromised in any manner,” a company spokesman said in a statement. The company will “continue to both monitor this event and take steps to safeguard account information.”

The spokesman declined to say how many cards may have been compromised or how many banks it is notifying.

Representatives for Visa couldn’t immediately be reached for comment.

A notice Visa is sending to banks said it had been notified of a security breach within a third-party payment processor. The estimated window for the breach is Jan. 21 and Feb. 25, according to a copy of the notice reviewed by The Wall Street Journal.

Related Video

102511digitsmastercard2_512x288.jpg

MasterCard and Visa are pushing into a new business: using what they know about people’s credit-card purchases at brick-and-mortar stores for targeting them with ads online.

“The network intrusion may have put accounts at risk of being stolen,” Visa said in the notice, adding that a forensic company is working with the company in question and the U.S. Secret Service is also investigating the breach. “The investigation is still in the early stages and if additional accounts are determined to be at risk” additional alerts will be distributed.

A notice sent to clients recently by PSCU, a technology company that works with credit unions, said it received an alert from Visa on March 23 about a possible incident with a third-party processor. PSCU said the Visa alert identified 46,194 accounts that may have been at risk, though after eliminating duplicate accounts, cards with invalid expiration dates and cards not handled by PSCU, the number of compromised Visa cards was reduced to 26,094.

PSCU couldn’t immediately be reached for comment.

Visa and MasterCard don’t lend or issue cards to consumers; rather, they process transactions for banks that issue their cards and those that handle transactions for merchants.

Representatives of several banks, including Bank of America Corp. and J.P. Morgan Chase & Co., either couldn’t be reached for comment or declined to comment Friday morning.

Cardholders who are concerned about their accounts should contact the banks that issued them their cards, the company said.

—Matthias Rieker contributed to this article.

Write to Andrew R. Johnson at Andrew.R.Johnson

Advertisements

Leave a comment

Filed under Uncategorized

Google’s Breach of Apple’s Safari Said to Be Probed by U.S.

Google Inc’s breach of Apple Inc’s Safari Internet browser is under investigation by U.S. regulators to determine whether it caused consumers to be misled about privacy safeguards, a person familiar with the matter said.
The Federal Trade Commission is examining whether Mountain View, California-based Google effectively deceived consumers by planting so-called cookies on Safari, bypassing Apple software’s privacy settings, said the person, who lacked authorization to speak publicly on the matter and declined to be identified.
The cookies allowed Google to aim targeted advertising at Safari users. The FTC is charged with protecting consumers against “unfair and deceptive” practices under the law that created the agency.
The FTC also is looking at whether Google violated a consent decree with the commission signed last year, the person said.
That settlement was reached after Google agreed it used deceptive tactics and violated its own privacy policies in introducing the Buzz social-networking service in 2010. The 20- year settlement bars Google from misrepresenting how it handles user information and requires the company to follow policies that protect consumer data in new products.

Ready to Cooperate

“We will of course cooperate with any officials who have questions,” said Chris Gaither, a spokesman for Google, which has acknowledged it ended up placing the advertising cookies on Safari after opening a connection to give signed-in users access to a Google function. “But it’s important to remember that we didn’t anticipate this would happen.”
Google has been removing the files since discovering the slip, Gaither said in an e-mailed statement. The Wall Street Journal reported earlier that Google is being investigated by U.S. and European Union regulators for using Safari users’ information and bypassing the Apple software’s privacy settings.
European regulators are already reviewing Google’s new privacy policy, which was introduced March 1 to streamline privacy settings for about 60 different services and products.
France’s data-protection agency, the National Commission for Computing and Civil Liberties, or CNIL, is preparing a list of questions to send to Google next week, a spokeswoman for the agency said today. She declined to comment on whether the questionnaire would cover the Safari cookies, and declined to be cited by name, citing CNIL policy. CNIL also acts on behalf of other European regulators.
Google has defied two requests by CNIL to suspend changes to its privacy policy while the agency determines whether those changes comply with European privacy standards.
European regulators “are very concerned, because they are persuaded that these new rules are not at all compliant with the existing European laws,” European Union Justice Commissioner Viviane Reding said March 1, when Google’s privacy changes took effect.
To contact the reporters on this story: Sara Forden in sforden; Jeff Bliss in Washington at jbliss.
To contact the editors responsible for this story: Michael Hytha at mhytha: Steven Komarow at skomarow1

Leave a comment

Filed under Uncategorized

Employee negligence or maliciousness is the root cause of many data breaches, according to the Ponemon Institute.

Employee negligence or maliciousness is the root cause of many data breaches, according to the Ponemon Institute.

Over 78 percent of respondents blame employee behaviors, both intentional and accidental, for at least one data breach within their organizations over the past two years.

ponemon032012.jpg
The top three root causes of these breaches are employees’ loss of a laptop or other mobile data-bearing devices (35 percent), third party mishaps or flubs (32 percent) and system glitches (29 percent).

Alternatively, nearly 70 percent of those surveyed either agree or strongly agree that their organization’s current security activities are not enough to stop a targeted attack or hacker, according to the study which surveyed 709 IT and IT security practitioners in the United States.

The report reveals that even when employees make unintentional mistakes, most of these breaches are only discovered accidentally, according to 56 percent of respondents. Only 19 percent of respondents say that employees self-reported the data breach, making it difficult to promptly resolve the breach. 37 percent say that an audit or assessment revealed the incident and 36 percent say that data protection technologies revealed the breach.

Worse for SMBs

SMBs are at a greater risk of their employees mishandling data than enterprises, according to a separate analysis of the overall respondents from organizations with less than 100 employees. Overall, SMBs have a slightly higher rate of data breaches – 81 percent versus 78 percent – due to employees mishandling of sensitive data.

SMB employees were reported to be more likely to engage in “risky” behavior: 58 percent of them will or have already opened attachments or web-links in spam, versus 39 percent from enterprises; 77 percent will or have already left their computer unattended, 62 percent from their enterprise counterparts.

The survey also found that more than half (55 percent) of SMB employees were likely to visit off-limit websites, compared to 43 percent of enterprise employees.

The majority (65 percent) of smaller organizations say that, in general, their organizations’ sensitive or confidential business information is not encrypted or safeguarded by data loss protection technologies.

Further, employees are less likely in smaller organizations to spend time on data protection or have the proper technologies in place to thwart data loss: 62 percent of organizations believe they are not protected. Of these respondents, 65 percent say it is because technologies are too expensive and 54 percent say they are too complex.

“Our conclusion is that most threats posed by employees and those within companies are becoming more prevalent because of the mobility of the workforce, proliferation of mobile data-bearing devices, consumerization of IT, and the use of social media in the workplace. We saw that most surveyed believe their companies are not doing enough to ensure a more effective security infrastructure against hackers and targeted attacks. Combined with data-centric security technology, education and awareness among employees are essential,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.http://www.net-security.org/secworld.php?id=12540

Leave a comment

Filed under Uncategorized

Google privacy changes ‘in breach of EU law’

BBC News


1 March 2012 Last updated at 10:00 ETChanges made by Google to its privacy policy are in breach of European law, the EU’s justice commissioner has said.
Viviane Reding told the BBC that authorities found that “transparency rules have not been applied”.
The policy change, implemented on Thursday, means private data collected by one Google service can be shared with its other platforms including YouTube, Gmail and Blogger.
Google said it believed the new policy complied with EU law.
“We are confident that our new simple, clear and transparent privacy policy respects all European data protection laws and principles,” it said in a statement.
It said the new set-up would enable it to tailor search results more effectively, as well as offer better targeted advertising to users.
It went ahead with the changes despite warnings from the EU earlier this week.
Data regulators in France had cast doubt on the legality of the move and launched a Europe-wide investigation.
More than 60 sets of guidelines for its individual Google-owned sites were merged into a single policy for all of its services.
It means browsing data and web history, which is gathered when a user is signed in with a Google account, can be shared across all of the websites.
Linked activityGoogle’s business model – the selling of ads targeted on individual user behaviour – relies on collecting browsing information from its visitors.
Until Thursday, different services did not share this information.
This meant a search on, for example, YouTube, would not affect the results or advertising you would encounter on another Google site such as Gmail.
The new agreement, which users cannot opt out of unless they stop using Google’s services, will mean activity on all of the company’s sites will be linked.
Logging out of Google’s services will reduce the amount of data stored by the company, although – like many other sites – it will still store anonymous data about web activity.
France’s privacy watchdog CNIL wrote to Google earlier this week, urging a “pause” in rolling out the revised policy.
“The CNIL and EU data authorities are deeply concerned about the combination of personal data across services,” the regulator wrote.
“They have strong doubts about the lawfulness and fairness of such processing, and its compliance with European data protection legislation.”
The regulator said it would send Google questions on the changes by mid-March. On Thursday, Ms Reding told BBC Radio 4’s World At One that conclusions from initial investigations had left CNIL “deeply concerned”.
‘Strong as ever’Earlier, Google’s global privacy counsel Peter Fleischer said he was happy to answer any concerns CNIL had.
“As we’ve said several times over the past week, while our privacy policies will change on 1st March, our commitment to our privacy principles is as strong as ever,” Mr Fleischer wrote in a blog post.
The company rejected the regulator’s request to hold off on making the changes. Users are being moved on to the new single policy shortly after midnight on 1 March, local time.
Many websites and blogs in the technology community have given guidance for users concerned about how their browsing history will be used.
They suggest users can access, and delete, their browsing and search history on the site by logging in to google.com/history.
A similar page for YouTube viewing and search history can also be accessed.
Users can see which Google services hold data about them by viewing their dashboard.
‘Advertiser interests’In preparation for the policy change, Google displayed prominent messages notifying visitors about the plans. A dedicated section was set up to provide more details.
However, campaign group Big Brother Watch has argued that not enough has been done to ensure people are fully aware of the alterations.
A poll of more than 2,000 people conducted by the group in conjunction with YouGov suggested 47% of Google users in the UK were not aware policy changes were taking place.
Only 12% of British Google users, Big Brother Watch said, had read the new agreement.
The group’s director Nick Pickles said: “If people don’t understand what is happening to their personal information, how can they make an informed choice about using a service?
“Google is putting advertisers’ interests before user privacy and should not be rushing ahead before the public understand what the changes will mean.”
http://www.bbc.co.uk/news/technology-17205754?print=true

Leave a comment

Filed under Uncategorized

Zappos Data Breach — 24 Million Customers Warned

KGW.com reported about the Zappos Data breach yesterday through an interview with GadgetTrak Founder, Ken Westin. Although by Ken’s estimation, Zappos had best in class security and did “everything right” to protect customer data – they were breached – and customer data may have been stolen. From the mass Zappos email last night to 24 million customers impacted by the breach of personal information including credit card data — “We recommend you change your password”.

Now that is a helpful tip. Change your password. Let’s all go do that right now, across all of our 1,000 sites. Amazing how we keep trying to solve the same problems with the same solutions expecting a different outcome – by the way that is very nearly the definition of insanity.

Leave a comment

Filed under Uncategorized

Anonymous does it again– enters security breach on US, Nato data

Anonymous does it again and creates a security breach on US and Nato data, As reported by Patrick Leafson at The Internet Post. TIP is a news source blog focused on distributing much better informational news reporting away from the Democrat and Republican tail-spinning arguments that are usually rooted in confusion and hate. TIP is your alternative.

There was additional insight into the trend of such attacks from Anthony L. Kimery, Homeland Security Today’s senior reporter and online editor in the story, “Cyberattacks Pose Threat To Law Enforcement Intelligence, Operations And Personnel”

As reported now, on 09 Jan 2012 — The hacker group “Anonymous” exposed thousands of email addresses and passwords belonging to U.S. and NATO officials that it obtained due to a security breach. The online hacktivist group claimed it had stolen intelligence analysis firm Stratfor’s confidential client list, which included the U.S. Defense Department, Army, Air Force, law enforcement agencies, top security contractors and technology firms like Apple and Microsoft, over Christmas. Among the huge trove of private information exposed by the group are email addresses/personal information belonging to 221 British military officials, 242 NATO staff and 19-thousand U.S. military personnel.

Leave a comment

Filed under Uncategorized

Breach Can Cost $2 Million, Study Says

Greg Freeman , January 13, 2012

This article appears in the January 2012 issue of HealthLeaders magazine.

A significant data breach can cost your organization $2 million, according to a study by the Ponemon Institute in Traverse City, MI. The research and consulting group found that hospitals are rushing to adopt electronic health records in an effort to cash in on government incentives, but they may not be prepared to adequately address data security and data privacy issues.

new-image.JPG

Here are some of the key findings of the study, Benchmark Study on Patient Privacy and Data Security:

  • Sixty percent of organizations in the study had more than two data breaches in the past two years.
  • The average number of lost or stolen records per breach was 1,769. A significant percentage of organizations, 38%, did not notify any patients.
  • The top three causes of a data breach were: unintentional employee action, lost or stolen computing devices, and third-party errors.
  • Forty-one percent discovered the data breach as a result of a patient complaint.
  • Sixty-three percent of organizations say it took them between one to six months to resolve the incident.

Leave a comment

Filed under Uncategorized