But...Who is it really?

2009-01-19 by d2d Butwho_hack

Update: This is looking like it isn't a breach at a retailer, but a breach at a card processor. This is till unfolding, and could be unrelated to this, but it is increasingly looking like Heartland Payment Systems is the source. If anyone has evidence of any kind linking the Heartland breach to the these banks, drop us an email.

A recent article suggests that a major retailer has had a significant breach, affecting thousands of card holders. The breach apparently involves a merchant of First Data Corporation, the organization that runs the STAR debit/ATM network. It may also be affecting customers of banks around the country.

The question is, who is this major retailer? We're hearing rumblings that this is a significant breach. Unfortunately, those covering it thus far haven't quite dug up that information.

This isn't the first time we've heard of a retailer having a problem, only to never find out the retailer's name, but this one seems more significant than those before. We heard similar rumblings before the Hannaford incident.

Update: This article may be related?

What would a card processor gain by protecting the identity of an offending merchant? Several theories have been put forth. In a bad economy, it could be their desire not to negatively affect an already beaten down consumer confidence. Or perhaps it could be to protect the retailer, again given the economy. Or perhaps there is more to it, perhaps the retailer in question were PCI compliant, and disclosure of the retailer would bring about additional criticism for PCI's Data Security Standard.

And what of breach notification laws? Does forcing the banks (who know little to no details) to send out notifications, in place of the offending merchant, comply with the laws? Or does it circumvent the spirit of them? Are data breach notification laws in existence just to notify consumers of fraud, or are they also meant to help consumers make safer choices with who they do business with?

Hopefully someone will shed a little light on this situation in the near future.


by michaelcordes [Apprentice Investigator] on 2009-01-20 (about 5 years ago)

by michaelcordes [Apprentice Investigator] on 2009-01-20 (about 5 years ago)

by d2d [Data Loss Maven] on 2009-01-20 (about 5 years ago)

We're not going to put a number on this yet. We're hearing conflicting reports about the total. Washington Post seems to be going out on a limb with that 100,000,000 number...but we'll see.

by Anonymous on 2009-01-20 (about 5 years ago)

I'll go out on a limb too.

I have reliable information that the breach was on-going from May to November. HPS processes over 100 million transactions a month. You do the math.

If even a large percentage of those transactions were repeat customers with the same card, I wouldn't be surprised to see the final number in the 200 million range.

Tom Mahoney, Director

New Comment

Are you human?

Sponsored By: Rbs Zecurion
Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements. For more information, please e-mail [email protected] with a brief summary of how you would like to use this information; product, service, research, etc.
© 2005 - 2014, Open Security Foundation, All Rights Reserved.