USC investigates credit card security breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://dailytrojan.com/2012/06/28/usc-investigates-credit-card-security-breach/

A forensic investigation led by Ernst & Young found instances of credit
card theft at several USC Hospitality venues over at least a one-month
period, according to an email from Dan Stimmler, associate senior vice
president of auxiliary services. Credit card numbers were obtained because
of a breach in third-party software that the university installed three
years ago, Stimmler said to the *Daily Trojan*.

Though credit card numbers were stolen, no personal information was
compromised, the email said.

The university received its first reported theft June 20 and contracted
Ernst & Young the following day to gather more details, investigate who
might be responsible and look into ways to prevent a future security
breach, Stimmler said. According to the email, the investigation has found
that the thefts began on May 21 — or possibly earlier — and ended June 21
after USC Auxiliary Services discovered the breach and shut down the system.

The affected hospitality venues include the Ronald Tutor Campus Center,
Seeds, The Lab and the Starbucks on the Health Sciences Campus.

Celine Lam, a senior majoring in cinematic arts and a writer for the *Daily
Trojan*, discovered her credit card number had been stolen when her bank
emailed her early this morning to inform her that someone in Northern
Florida had charged about $2 to her card. Lam, who saw signs Tuesday that
said the credit card software at the campus center had been disabled, said
the university should have told her of the situation earlier.

“The notices up around the food areas only said the system was down,
however. I personally would have liked to have been informed by USC as soon
as possible if they’d been looking into this situation for over a week,”
Lam said in an email.

The email advised faculty, staff, students and visitors to check their
credit card statements over the past few months and report any
irregularities to their credit card company.

“If you recently used your credit card at a USC dining facility, we
recommend that you check carefully all credit card statements that you
receive over the next several months, and as a precautionary measure, that
you also check statements for the past several months for any unusual
charges,” Stimmler said in the email.

Stimmler said he does not have an exact number of how many individuals were
affected by the thefts. But since the breach occurred after commencement, a
time when many students and faculty are off campus, he expects the number
to be smaller. Though the university is notifying impacted students,
faculty and staff, university officials cannot contact everyone who was
affected because of privacy issues.

“We are unable to notify all potentially impacted individuals directly
because the names of the credit card holders are known only to the banks
that issued the credit cards,” Stimmler said in the email. “For privacy
reasons, the issuing banks will not share names and contact information of
the credit card holders.”

The Department of Public Safety is investigating the incident
independently, Stimmler said.

No USCard information was compromised during the incident, the email said.

Stimmler said that, for now, the university will continue to use the same
software, but with new security standards. Stimmler also said that looking
for a new long-term software partner is a possibility.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.