Breach Hits Card Processor Global Payments

• 

ROBIN SIDEL And ANDREW R. JOHNSON

Global Payments Inc., which processes credit cards and debit cards for banks and merchants, has been hit by a security breach that has put some 50,000 cardholders at risk, according to people with knowledge of the situation.

The full extent of the breach couldn’t be determined, one of the people said. It wasn’t immediately clear if cardholders have been hit by fraudulent transactions.

Representatives of Global Payments, based in Atlanta, couldn’t be reached for comment.

Global Payments is a large so-called third-party processors of payment cards, including debit cards, credit cards, and gift cards.

The news comes as MasterCard Inc. and Visa Inc. have been alerting their card-issuing bank customers about the potential breach. It wasn’t immediately known if the banks are planning to reissue cards to their customers.

The breach was reported earlier Friday by the Krebs On Security blog.

MasterCard, of Purchase, N.Y., said law enforcement has been notified of the matter and an “independent data security organization” is conducting a forensic review of the matter.

Bloomberg News

Read More

• Are Cardholders Liable for Fraudulent Charges?

“MasterCard’s own systems have not been compromised in any manner,” a company spokesman said in a statement. The company will “continue to both monitor this event and take steps to safeguard account information.”

The spokesman declined to say how many cards may have been compromised or how many banks it is notifying.

Representatives for Visa couldn’t immediately be reached for comment.

A notice Visa is sending to banks said it had been notified of a security breach within a third-party payment processor. The estimated window for the breach is Jan. 21 and Feb. 25, according to a copy of the notice reviewed by The Wall Street Journal.

Related Video

MasterCard and Visa are pushing into a new business: using what they know about people’s credit-card purchases at brick-and-mortar stores for targeting them with ads online.

“The network intrusion may have put accounts at risk of being stolen,” Visa said in the notice, adding that a forensic company is working with the company in question and the U.S. Secret Service is also investigating the breach. “The investigation is still in the early stages and if additional accounts are determined to be at risk” additional alerts will be distributed.

A notice sent to clients recently by PSCU, a technology company that works with credit unions, said it received an alert from Visa on March 23 about a possible incident with a third-party processor. PSCU said the Visa alert identified 46,194 accounts that may have been at risk, though after eliminating duplicate accounts, cards with invalid expiration dates and cards not handled by PSCU, the number of compromised Visa cards was reduced to 26,094.

PSCU couldn’t immediately be reached for comment.

Visa and MasterCard don’t lend or issue cards to consumers; rather, they process transactions for banks that issue their cards and those that handle transactions for merchants.

Representatives of several banks, including Bank of America Corp. and J.P. Morgan Chase & Co., either couldn’t be reached for comment or declined to comment Friday morning.

Cardholders who are concerned about their accounts should contact the banks that issued them their cards, the company said.

—Matthias Rieker contributed to this article.

Write to Andrew R. Johnson at Andrew.R.Johnson

Google’s Breach of Apple’s Safari Said to Be Probed by U.S.

Google Inc’s breach of Apple Inc’s Safari Internet browser is under investigation by U.S. regulators to determine whether it caused consumers to be misled about privacy safeguards, a person familiar with the matter said.
The Federal Trade Commission is examining whether Mountain View, California-based Google effectively deceived consumers by planting so-called cookies on Safari, bypassing Apple software’s privacy settings, said the person, who lacked authorization to speak publicly on the matter and declined to be identified.
The cookies allowed Google to aim targeted advertising at Safari users. The FTC is charged with protecting consumers against “unfair and deceptive” practices under the law that created the agency.
The FTC also is looking at whether Google violated a consent decree with the commission signed last year, the person said.
That settlement was reached after Google agreed it used deceptive tactics and violated its own privacy policies in introducing the Buzz social-networking service in 2010. The 20- year settlement bars Google from misrepresenting how it handles user information and requires the company to follow policies that protect consumer data in new products.

Ready to Cooperate

“We will of course cooperate with any officials who have questions,” said Chris Gaither, a spokesman for Google, which has acknowledged it ended up placing the advertising cookies on Safari after opening a connection to give signed-in users access to a Google function. “But it’s important to remember that we didn’t anticipate this would happen.”
Google has been removing the files since discovering the slip, Gaither said in an e-mailed statement. The Wall Street Journal reported earlier that Google is being investigated by U.S. and European Union regulators for using Safari users’ information and bypassing the Apple software’s privacy settings.
European regulators are already reviewing Google’s new privacy policy, which was introduced March 1 to streamline privacy settings for about 60 different services and products.
France’s data-protection agency, the National Commission for Computing and Civil Liberties, or CNIL, is preparing a list of questions to send to Google next week, a spokeswoman for the agency said today. She declined to comment on whether the questionnaire would cover the Safari cookies, and declined to be cited by name, citing CNIL policy. CNIL also acts on behalf of other European regulators.
Google has defied two requests by CNIL to suspend changes to its privacy policy while the agency determines whether those changes comply with European privacy standards.
European regulators “are very concerned, because they are persuaded that these new rules are not at all compliant with the existing European laws,” European Union Justice Commissioner Viviane Reding said March 1, when Google’s privacy changes took effect.
To contact the reporters on this story: Sara Forden in sforden; Jeff Bliss in Washington at jbliss.
To contact the editors responsible for this story: Michael Hytha at mhytha: Steven Komarow at skomarow1

Employee negligence or maliciousness is the root cause of many data breaches, according to the Ponemon Institute.

Employee negligence or maliciousness is the root cause of many data breaches, according to the Ponemon Institute.

Over 78 percent of respondents blame employee behaviors, both intentional and accidental, for at least one data breach within their organizations over the past two years.

The top three root causes of these breaches are employees’ loss of a laptop or other mobile data-bearing devices (35 percent), third party mishaps or flubs (32 percent) and system glitches (29 percent).

Alternatively, nearly 70 percent of those surveyed either agree or strongly agree that their organization’s current security activities are not enough to stop a targeted attack or hacker, according to the study which surveyed 709 IT and IT security practitioners in the United States.

The report reveals that even when employees make unintentional mistakes, most of these breaches are only discovered accidentally, according to 56 percent of respondents. Only 19 percent of respondents say that employees self-reported the data breach, making it difficult to promptly resolve the breach. 37 percent say that an audit or assessment revealed the incident and 36 percent say that data protection technologies revealed the breach.

Worse for SMBs

SMBs are at a greater risk of their employees mishandling data than enterprises, according to a separate analysis of the overall respondents from organizations with less than 100 employees. Overall, SMBs have a slightly higher rate of data breaches – 81 percent versus 78 percent – due to employees mishandling of sensitive data.

SMB employees were reported to be more likely to engage in “risky” behavior: 58 percent of them will or have already opened attachments or web-links in spam, versus 39 percent from enterprises; 77 percent will or have already left their computer unattended, 62 percent from their enterprise counterparts.

The survey also found that more than half (55 percent) of SMB employees were likely to visit off-limit websites, compared to 43 percent of enterprise employees.

The majority (65 percent) of smaller organizations say that, in general, their organizations’ sensitive or confidential business information is not encrypted or safeguarded by data loss protection technologies.

Further, employees are less likely in smaller organizations to spend time on data protection or have the proper technologies in place to thwart data loss: 62 percent of organizations believe they are not protected. Of these respondents, 65 percent say it is because technologies are too expensive and 54 percent say they are too complex.

“Our conclusion is that most threats posed by employees and those within companies are becoming more prevalent because of the mobility of the workforce, proliferation of mobile data-bearing devices, consumerization of IT, and the use of social media in the workplace. We saw that most surveyed believe their companies are not doing enough to ensure a more effective security infrastructure against hackers and targeted attacks. Combined with data-centric security technology, education and awareness among employees are essential,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.http://www.net-security.org/secworld.php?id=12540

Google privacy changes ‘in breach of EU law’

1 March 2012 Last updated at 10:00 ETChanges made by Google to its privacy policy are in breach of European law, the EU’s justice commissioner has said.
Viviane Reding told the BBC that authorities found that “transparency rules have not been applied”.
The policy change, implemented on Thursday, means private data collected by one Google service can be shared with its other platforms including YouTube, Gmail and Blogger.
Google said it believed the new policy complied with EU law.
“We are confident that our new simple, clear and transparent privacy policy respects all European data protection laws and principles,” it said in a statement.
It said the new set-up would enable it to tailor search results more effectively, as well as offer better targeted advertising to users.
It went ahead with the changes despite warnings from the EU earlier this week.
Data regulators in France had cast doubt on the legality of the move and launched a Europe-wide investigation.
More than 60 sets of guidelines for its individual Google-owned sites were merged into a single policy for all of its services.
It means browsing data and web history, which is gathered when a user is signed in with a Google account, can be shared across all of the websites.
Linked activityGoogle’s business model – the selling of ads targeted on individual user behaviour – relies on collecting browsing information from its visitors.
Until Thursday, different services did not share this information.
This meant a search on, for example, YouTube, would not affect the results or advertising you would encounter on another Google site such as Gmail.
The new agreement, which users cannot opt out of unless they stop using Google’s services, will mean activity on all of the company’s sites will be linked.
Logging out of Google’s services will reduce the amount of data stored by the company, although – like many other sites – it will still store anonymous data about web activity.
France’s privacy watchdog CNIL wrote to Google earlier this week, urging a “pause” in rolling out the revised policy.
“The CNIL and EU data authorities are deeply concerned about the combination of personal data across services,” the regulator wrote.
“They have strong doubts about the lawfulness and fairness of such processing, and its compliance with European data protection legislation.”
The regulator said it would send Google questions on the changes by mid-March. On Thursday, Ms Reding told BBC Radio 4’s World At One that conclusions from initial investigations had left CNIL “deeply concerned”.
‘Strong as ever’Earlier, Google’s global privacy counsel Peter Fleischer said he was happy to answer any concerns CNIL had.
“As we’ve said several times over the past week, while our privacy policies will change on 1st March, our commitment to our privacy principles is as strong as ever,” Mr Fleischer wrote in a blog post.
The company rejected the regulator’s request to hold off on making the changes. Users are being moved on to the new single policy shortly after midnight on 1 March, local time.
Many websites and blogs in the technology community have given guidance for users concerned about how their browsing history will be used.
They suggest users can access, and delete, their browsing and search history on the site by logging in to google.com/history.
A similar page for YouTube viewing and search history can also be accessed.
Users can see which Google services hold data about them by viewing their dashboard.
‘Advertiser interests’In preparation for the policy change, Google displayed prominent messages notifying visitors about the plans. A dedicated section was set up to provide more details.
However, campaign group Big Brother Watch has argued that not enough has been done to ensure people are fully aware of the alterations.
A poll of more than 2,000 people conducted by the group in conjunction with YouGov suggested 47% of Google users in the UK were not aware policy changes were taking place.
Only 12% of British Google users, Big Brother Watch said, had read the new agreement.
The group’s director Nick Pickles said: “If people don’t understand what is happening to their personal information, how can they make an informed choice about using a service?
“Google is putting advertisers’ interests before user privacy and should not be rushing ahead before the public understand what the changes will mean.”
http://www.bbc.co.uk/news/technology-17205754?print=true

Zappos Data Breach — 24 Million Customers Warned

KGW.com reported about the Zappos Data breach yesterday through an interview with GadgetTrak Founder, Ken Westin. Although by Ken’s estimation, Zappos had best in class security and did “everything right” to protect customer data – they were breached – and customer data may have been stolen. From the mass Zappos email last night to 24 million customers impacted by the breach of personal information including credit card data — “We recommend you change your password”.

Now that is a helpful tip. Change your password. Let’s all go do that right now, across all of our 1,000 sites. Amazing how we keep trying to solve the same problems with the same solutions expecting a different outcome – by the way that is very nearly the definition of insanity.

Anonymous does it again– enters security breach on US, Nato data

Anonymous does it again and creates a security breach on US and Nato data, As reported by Patrick Leafson at The Internet Post. TIP is a news source blog focused on distributing much better informational news reporting away from the Democrat and Republican tail-spinning arguments that are usually rooted in confusion and hate. TIP is your alternative.

There was additional insight into the trend of such attacks from Anthony L. Kimery, Homeland Security Today’s senior reporter and online editor in the story, “Cyberattacks Pose Threat To Law Enforcement Intelligence, Operations And Personnel”

As reported now, on 09 Jan 2012 — The hacker group “Anonymous” exposed thousands of email addresses and passwords belonging to U.S. and NATO officials that it obtained due to a security breach. The online hacktivist group claimed it had stolen intelligence analysis firm Stratfor’s confidential client list, which included the U.S. Defense Department, Army, Air Force, law enforcement agencies, top security contractors and technology firms like Apple and Microsoft, over Christmas. Among the huge trove of private information exposed by the group are email addresses/personal information belonging to 221 British military officials, 242 NATO staff and 19-thousand U.S. military personnel.

Breach Can Cost $2 Million, Study Says

Greg Freeman , January 13, 2012

This article appears in the January 2012 issue of HealthLeaders magazine.

A significant data breach can cost your organization $2 million, according to a study by the Ponemon Institute in Traverse City, MI. The research and consulting group found that hospitals are rushing to adopt electronic health records in an effort to cash in on government incentives, but they may not be prepared to adequately address data security and data privacy issues.

Here are some of the key findings of the study, Benchmark Study on Patient Privacy and Data Security:

• Sixty percent of organizations in the study had more than two data breaches in the past two years.
• The average number of lost or stolen records per breach was 1,769. A significant percentage of organizations, 38%, did not notify any patients.
• The top three causes of a data breach were: unintentional employee action, lost or stolen computing devices, and third-party errors.
• Forty-one percent discovered the data breach as a result of a patient complaint.
• Sixty-three percent of organizations say it took them between one to six months to resolve the incident.

Huge Security Breach at Security Firm Symantec No Threat to Consumers, Analyst Says

By Joshua Rhett Miller

Published January 06, 2012 | FoxNews.com

One of the biggest security firms in the world may need to boost its own security: A hacker stole the source code behind Symantec’s industry-leading antivirus program.
The code theft from the security giant will not likely affect the average computer user or compromise his computer, an analyst told FoxNews.com

2012 Infographic – What should we expect?

From the Verizon Report http://www.verizonbusiness.com/Thinkforward/

According to the Verizon “2011 Data Breach Investigations Report,” the number of data attacks has tripled in the past five years, making the need to balance security with risk an even greater priority for businesses and consumers. With this trend in mind, Verizon’s ICSA Labs division recommends that businesses and consumers guard against the following 13 security threats in 2012:

Mobile Malware Is on the Rise. Malware targeting mobile devices will continue to increase, and enterprises will wrestle with how to protect users. Obvious targets will be smartphones and tablets, with the hardest hit likely to be Android-based devices, given that operating system’s large market share and open innovation platform. All mobile platforms will experience an increase in mobile attacks.

Criminals Target and Infect App Stores. Infected applications, rather than browser-based downloads, will be the main sources of attack. Because they are not policed well, unauthorized application stores will be the predominant source of mobile malware. Cybercriminals will post their infected applications here to attempt to lure trusting users into downloading rogue applications. Cybercriminals also will find ways to get their applications posted into authorized application stores. And infections can easily spread beyond the smartphone and into a corporate network, upping the ante on risk.

Application Scoring Systems Will be Developed and Implemented. To reassure users, organizations will want to have their application source code reviewed by third parties. Similarly, organizations will want to be sure that the applications approved for use on workers’ devices meet a certain standard. It is anticipated that the industry will develop a scoring system that helps ensure that users only download appropriate, corporate-sanctioned applications to business devices.

Emergence of Bank-Friendly Applications with Built-in Security. Mobile devices will increasingly be used to view banking information, transfer money, donate to charities and make payments for goods and services, presenting an opportunity for cybercriminals, who will find ways to circumvent protections. To help ensure the security of online banking, the banking industry is likely to begin to offer applications that have strong, built-in security layers.

Hyper-connectivity Leads to Growing Identity and Privacy Challenges. In today’s business environment, more users need to legitimately access more data from more places. This requires the protection of data at every access point by using stronger credentials, deploying more secure, partner-accessible systems, and improving log management and analysis. Compounding the issue are a new age of cross-platform malicious code, aimed at sabotage, and mounting concerns about privacy. Enterprises will no longer be able to ignore this problem in 2012, and will have to make some hard choices.

New Risks Accompany Move to Digitized Health Records. In the U.S., health care reform and stimulus funding will continue to accelerate the adoption of electronic health records and related technologies throughout the industry. The American Recovery and Reinvestment Act calls for all medical records to be electronic by 2014, meaning that much work must be done in 2012 and 2013 to prepare.) New devices will be introduced that send sensitive information beyond the traditional boundaries of health care providers, and more and more health care providers are using mobile devices. Along with the need to secure newly implemented EHR systems, securing mobile devices and managing mobile clinical applications will continue to be an ever-increasing focus in the health care industry.

Mobile and Medical Devices Will Begin to Merge. Mobile devices and health care apps will proliferate, making it easier, for example, to transform a smartphone, into a heart monitor or diabetes tester. As a result, some experts believe that industry health care groups will declare mobile devices to be medical devices in order to control and regulate them. As interoperability standards mature, more mobile devices and traditional medical devices will become nodes on an organization’s network. These devices also will share data with other devices and users and, as a result, be susceptible to the same threats and vulnerabilities that computers and other network-attached peripherals, such as printers and faxes, are susceptible to today.

Smart Grid Security Standards Will Keep Evolving. In the U.S., public utility commissions, along with the National Institute of Standards and Technology, will continue to develop smart-grid standards. State PUCs will begin to agree on a standard in the coming year. The government will increasingly require utilities to demonstrate that their smart grid and advanced metering infrastructure solutions protect not only the privacy of consumers and consumer usage data but also the security of the AMI infrastructure. At some point, a single federal framework will supersede state regulations and requirements.

New Concerns Will Surface About IPv6. The federal government is still struggling with the rollout of IPv6-enabled devices as organizations migrate from IPv4. This will be an ongoing concern and IPv6 specific vulnerabilities and threats will continue to cause trouble during 2012. In addition, the other two fundamental mechanisms of the Internet — Border Gateway Protocol and Domain Name System – also now offer a next-generation version. In 2012, many will start migrating to these newer versions, generating a new round of vulnerabilities and exploits.

Social-Engineering Threats Resurface. More targeted spear-phishing — an e-mail-fraud attempt that targets a specific organization, seeking unauthorized access to confidential data – will be the major social-engineering threat of 2012. Efforts to educate user communities about safe computing practices, will continue to be a challenge as the user base of smart devices increases dramatically. Social networking sites will continue to implement protection for users from malware, spam and phishing, but sophisticated threats will continue to seduce users to visit a rogue Website or reveal personally identifiable information online.

Security Certification Programs Will Increase in Popularity. Certifications will continue to increase, especially as the government accelerates IT mandates for its agencies in the areas of cloud and identity; and in turn, the private sector will follow suit. Internet threats will continue to affect business, government and user confidence and wreak havoc on computing devices in the office and at home. The challenge for all testing bodies will be to stay ahead of the ever-changing threat landscape and to evolve testing accordingly. Some testing bodies may suggest certifying the security of companies as a whole, not just their products or services, as a way to build trust online.

‘Big Data’ Will Get Bigger, and so Will Security Needs. ”Big data” — large data sets that can now be managed with the right tools — will be popular in 2012 as more companies derive greater value through analytics. Companies will use the data to create new business opportunities while empowering evidence-based decision making for greater success. However, companies will need to secure this data in order to achieve the gains they seek.

Safeguarding Online Identities Will no Longer be Optional. With the rampant growth of online identity theft, consumers, businesses and government agencies are seeking ways to better protect their identities. These groups will look to the private sector to provide a cost-effective solution that helps to safeguard their identities and create greater online trust.

and finally

More great music from the master Mr. Combs. LastTrain to Paris by the Sean “Puffy” Combs’ new group Diddy-Dirty Money. Withdark, atmospheric beats and a cinematic back story, the new project representsan entirely new side of the rap impresario. Fans may think they know him, butas he prepares to unleash his latest smash, they are about to experience anentirely new Combs, and an entirely new sound. Diddy-Dirty Money is about toredefine dance music for the new decade.

Courtesy of bassbintwins

Data breaches put IT jobs on the line: Survey

hrreporter.com
Nov 21, 2011

30 per cent of IT professionals say executive data breached

Serious data breaches have compromised the data of CEOs and other executives along with confidential
customer data and data necessary for regulatory compliance. And IT managers are feeling the pressure,
saying data loss incidents put their jobs on the line, according to a survey of 1,000 IT managers and 1,000
non-IT employees in the United States, United Kingdom, Canada and Australia.

Thirty per cent of Canadian IT professionals reported the CEO’s or other executives’ confidential data had
been breached while 22 per cent reported losing data needed for compliance. And 40 per cent said data
has been lost by employees, found the survey released by Websense, a content security and data theft
protection company.

More than 80 per cent of Canadian IT professionals said their job would be at risk if a security incident
were to occur, such as a breach of the confidential data of an executive (38 per cent), data needed for
compliance being lost (32 per cent) or confidential information being posted on a social networking site (34
per cent).

There is a suspiciously large gap in the experience of IT managers and confessions from employees that
indicates extensive under-reporting on security breaches, said Websense. Just two employees for every
100 admitted to posting confidential information on a social networking site but 23 per cent of IT managers
said it has indeed occurred at their organization. One employee in 100 reveals they have introduced
malware onto the network — but 32 per cent of IT managers have already seen it happen.

And if employees did accidentally compromise company data, 30 per cent of them would not tell their
boss, found the survey Security Pros & ‘Cons’: Canadian IT professionals on Confidence, Confidential
Data and Today’s Cyber-cons.

Canadian IT managers said getting a divorce or getting married would be less stressful than protecting the
company’s confidential data. In addition, 11 per cent said their job was less stressful and 20 per cent
would rather start a new job.

But data security talk now involves top management, found Websense. More than 90 per cent of IT
security managers said new levels of management have engaged in data security conversations in the last
year, including the head of IT (42 per cent), managing director (37 per cent) and CEO (36 per cent).
“Companies need to recalculate their assumptions about how well their data is protected,” said Fiaaz
Walji, Canadian country manager for Websense. “Advanced threats are using attack elements and
methods that AV (anti-virus solutions were) not designed to address — and are written and tested
specifically to bypass AV. Companies need a robust, layered security strategy… that can truly protect them
from modern malware in the wild and effectively keep their confidential data protected, however it’s being
used.”