Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

The 10 Biggest Bank Card Hacks

From: InfoSec News <alerts () infosecnews org>
Date: Wed, 3 Dec 2014 11:09:00 +0000 (UTC)
http://www.wired.com/2014/12/top-ten-card-breaches/

By Kim Zetter
Threat Level
Wired.com
12.02.14
The holiday buying season is upon us once again. Another event that has arrived along with the buying season is the season of big box retailer data breaches.
A year ago, the Target breach made national headlines, followed shortly thereafter by a breach at Home Depot. Both breaches got a lot of attention, primarily because the number of bank cards affected was so high—more than 70 million debit and credit card numbers exposed in the case of Target and 56 million exposed at Home Depot.
Luckily, very little fraudulent activity occurred on the stolen card numbers, primarily because the breaches were caught fairly soon, making them relatively minor incidents in the scheme of things, compared with other breaches that have occurred over the years that resulted in losses of millions of dollars. The Target breach was notable for one other reason, however: when it came to security, the company did many things right, such as encrypting its card data and installing a multi-million-dollar state-of-the-art monitoring system not long before the breach occurred. But although the system worked exactly as designed, detecting and alerting workers when it appeared that sensitive data was being exfiltrated from its network, workers failed to act on these alerts to prevent data from being stolen.
Below, we look back on a decade of notable breaches, many of which happened despite the establishment of Payment Card Industry security standards that are supposed to protect cardholder data and lessen the chance that it will be stolen or be useful to criminals even when it’s nabbed.
The PCI security standard (.pdf) which went into effect in 2005, is a list of requirements — such as installing a firewall and anti-virus software, changing vendor default passwords, encrypting data in transit (but only if it crosses a public network) — that companies processing credit or debit card payments are required by card companies to have in place. Companies are required to obtain regular third-party security audits from an approved assessor to certify ongoing compliance. But nearly every company that was victim to a card breach was certified as compliant to the PCI security standard at the time of the breach, only to be found noncompliant in a post-breach assessment. 

[...]


--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
Previous By Date Next
Previous By Thread Next

Current thread: