It should be interesting to hear how they justified their failure to notify.
Wards didn't tell consumers about credit card hack
Friday, June 27 2008 @ 01:43 PM EDT Contributed by: PrivacyNews
Associated Press reports that Montgomery Ward, which had been bought out by Direct Marketing Services, was hacked and at least 51,000 customers' credit card numbers were accessed -- but DMS didn't notify the customers, despite the fact that they were aware of the problem since December and had notified their payment processor, MasterCard, Visa, and the Secret Service. AP
Related There is more from the Breach Blog
Technorati Tag: Security Breach
Date Reported: 6/27/08
Organization: Direct Marketing Services Inc.
Number Affected: "at least 51,000 records"
Types of Data: Names, addresses, phone numbers, card numbers, "security codes", and expiration dates
Breach Description: "NEW YORK (AP) -- The parent company of Montgomery Ward is admitting that it was hit with a credit card hack, but it didn't inform the customers affected."
Report Credit: The Associated Press
... Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December.
By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.
[Evan] The AP story names five of the six Direct Marketing Services retail properties (See Above). I don't know what the sixth is.
... Milgrom said Direct Marketing Services immediately informed its payment processor and Visa and MasterCard.
Direct Marketing Services closely followed a set of guidelines, issued by Visa, on how to respond to a security breach.
[Evan] This is sad. The Visa documentation regarding breach response is way too narrowly focused to be used as an organizational incident response. Every organization that creates, collects, uses, stores, and/or transfers confidential information should have an incident response policy and accompanying procedures. Take a look at the Visa "What To Do if Compromised" procedures, and judge for yourself.
... This hack might have stayed quiet except for online chatter detected in June by Affinion Group Inc.'s CardCops, a group of investigators who track payment-card theft for financial institutions.
... Along with the card numbers, their three-digit "security codes" and expiration dates, the thieves had the cardholders' names, addresses and phone numbers.
... Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.
On the Net: Links to the 44 state notification laws
Is this related to the Citibank ATM hack?
EXCLUSIVE: Visa notifying many New York banks of debit card compromise
Saturday, June 28 2008 @ 07:56 AM EDT Contributed by: PrivacyNews
The Dime Savings Bank of Williamsburgh has notified some of its customers that it is reissuing debit cards to some of its customers whose accounts may have been compromised.
According to their letter dated June 25, "Many area banks have recently received information from Visa's Security and Risk Management department advising us of the possible compromise of a minimal amount of Debit Card account numbers."
The Dime Savings Bank of Williamsburgh is a Brooklyn-based bank. At this time, it is not known what other area banks in New York have been notified by Visa and whether this breach has any connection with the ring involved in the Citibank ATM breach. If anyone has additional information, please email it to email@example.com
No indication in the article as to which breach this was. Also note that the local banks were not warned by the Secret Service – does that suggest a Credit Union only breach?
Credit card theft hits Envision members, Tallahassee residents
Friday, June 27 2008 @ 11:02 AM EDT Contributed by: PrivacyNews Breaches
Theft of information from more than a million credit and debit cards by computer hackers who gained access to the database of a national restaurant chain has turned 612 Envision Credit Union members — and perhaps others in the area — into victims.
A spokesman for the credit union said only two fraudulent attempts to use cards have been noted, including one using the card of Ray Cromer, Envision's president.
Source - Tallahassee.com
Note: this may be related to the Dave & Buster's breach -- Dissent.
It would be nice to have someone match the reports of breach with the transcripts of prosecutions. Perhaps it would shed more light on the techniques used and point out the non-disclosers at the same time.
Maple Grove hacker corrals thousands of credit card accounts
Friday, June 27 2008 @ 05:05 PM EDT Contributed by: PrivacyNews
A 21-year-old Maple Grove man admitted in federal court today to hacking his way to the credit card account information of thousands of people and using some of the information to add value to gift cards that he purchased and then sell the cards on Craigslist. Mann obtained credit card account information from thousands of victims by hacking into an Internet-based order-processing server.
Zachary W. Mann pleaded guilty to wire fraud and aggravated identity theft before U.S. District Court Chief Judge James Rosenbaum in Minneapolis.
Source - Star Tribune
[From the article:
From January to March, [Justice is swift in Minneapolis. Bob[ Mann obtained credit card account information from thousands of victims by hacking into an Internet-based order-processing server.
Undue reliance? Socialized medicine? Osama bin Laden?
UK: Computer failure puts cancer sufferers at risk
Suspected cancer patients at top London hospitals have missed critical appointments after their records were lost by a new multi-billion-pound computer system.
Patients missed appointments with a specialist within the necessary two weeks because of problems with the new Care Records Service installed under the NHS £12.7 billion
Programme for IT (NPfIT). Problems arose in April when Bart’s and The London Trust switched to the new system, which failed to keep track of patient data. As well as missing urgent appointments, patients were booked into closed clinics and appointments were repeatedly cancelled, a report in Computer Weekly revealed today.
Full story - Evening Standard
[From the article:
The Care Records Service - the world's largest non-military IT programme - was launched in 2002 to keep an electronic record for 50 million patients across Britain.
Directors at Bart's were told of the problems at a board meeting this week.
Business opportunities: There should still be space for sites like “How to fill out legal forms” and “TaxWiki” and “Grammar School Tutor” and “Algebra for Fun and Profit” and “Hacking into TJX”
The Web Knows How
By Eric Benderoff Chicago Tribune 06/28/08 4:00 AM PT
... The Web has become the place where people go to learn new tricks. Traffic to sites like eHow.com and WikiHow.com have doubled over the past year, according to figures from ComScore Networks, while start-ups such as Howcast.com and Findhow.com, a search engine to find "how-to" content, are entering the field.
... This month, Ted Ives launched his new site, Findhow.com. It's a search engine for how-to content that categorizes a wide range of content from various sites across the Web.
... If you want to learn how to change a dimmer switch, Findhow offers eight results, including video and text-based content from HomeDepot.com.
Related Like www.LULU.com, but limited to magazines. There might be a market – people who want documents they can hold... (Not much on this site, yet.)
MagCloud.com - Publish and Print your Own Magazine
MagCloud allows you to publish your own magazine and sell it online so that you make all the profit. MagCloud takes care of all the work after you create it yourself – printing, mailing, subscriptions, etc. It doesn´t cost you anything to design your magazine and all you need is a PayPal account so that you can sell the product above production cost to generate your earnings. MagCloud requires that you upload a PDF but that´s pretty much about it – the rest is up to you. You can also browse others´magazines on MagCloud and purchase those you wish by creating an account. While MagCloud is in it´s Beta stage, magazine creators have to request an invitation in order to publish.