Nicole Perlroth | The New York Times
P.F. Chang's China Bistro said Tuesday that it is investigating a potential security breach that may have led to the theft of information from thousands of customer credit cards.
The possible theft was first reported by Brian Krebs, a security blogger, who noted thousands of fresh credit cards appeared on Rescator, a so-called carding site that was used to sell payment data after last year’s Target network breach. Data from the magnetic strips of the latest stolen cards is selling for between $18 and $140 per card.
Mr. Krebs said representatives from affected banks had purchased several stolen credit cards from carding sites and discovered that many were used recently at P.F. Chang's.
"P.F. Chang's takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more," Anne Deanovic, a spokeswoman for the company, based in Scottsdale, Ariz., said in a written statement. "We will provide an update as soon as we have additional information."
Ms. Deanovic said the company had not yet tied fraudulent activity on customers' credit cards to the possible breach. The Secret Service, which has been conducting an inquiry into recent hacks at Target, Neiman Marcus and others, did not immediately return a request for comment.
P.F. Chang's was acquired by private-equity firm Centerbridge Partners LP in 2012 for $1.1 billion. It operated 200 Asian restaurant bistros and some 170 Pei Wei Asian Diners at the time of the deal.
It is the first significant appearance of information from stolen credit cards since March, when data from 282,000 cards was tied to a possible breach at Sally's Beauty.
If the breach is confirmed, P.F. Chang’s will be the fifth major retail chain - after Target, Neiman Marcus, Michaels and Sally's Beauty - to acknowledge that its systems were recently compromised. In those cases, criminals installed so-called malware on retailers' systems, which fed customers' payment details back to their computer servers.
A report from Bloomberg identified Sears as another company that had been breached, but the company and law enforcement officials have denied the reports.
The tally of customers affected by these recent breaches now exceeds one-third of the American population.
The same group of criminals in Eastern Europe are believed to be behind the hacks, and to be part of a broader cyberattack directed at as many as six other retailers, according to two people investigating the breaches who were not authorized to speak publicly.
The entry point for each breach differed, according to one law enforcement official. At Target, it was believed to be a Pennsylvania company that provided heating, air-conditioning and refrigeration services to the retailer. Criminals were able to use the company's log-in credentials to gain access to Target's systems, and eventually to its point-of-sale systems.
On Tuesday, a joint report by the Ponemon Institute, an independent security research firm, and DB Networks, a database security firm, found that retail companies are still unprepared for such attacks.
In a survey of 595 computer-security experts in the United States, the majority - 64 percent - believed their organizations still lack the technology and tools to quickly detect database attacks. Only one-third said they do the kind of continuous database monitoring needed to identify irregular activity in their databases. Another 22 percent admitted that they do not scan at all.
"The best approach to avoid an attack on a retail organization is continuous monitoring, which helps you understand your environment to detect gratuitous or anomalous traffic," said Larry Ponemon, the founder of the Ponemon Institute in an interview Tuesday. "All it takes is one successful attack."
The TNS Group is a leading technology services company located in Stamford, CT committed to delivering IT innovation and excellence!
Wednesday, June 11, 2014
Friday, June 6, 2014
FTC: Data Brokers Know You Better Than Mom Does
Information Week | Thomas Claburn
Federal Trade Commission report calls for restrictions on data brokers, finds companies gather billions of consumer transactions daily, largely without public knowledge.
Companies that silently gather data on consumers should be more transparent about what they do and should give consumers more control over the information they collect, a Federal Trade Commission report said Tuesday.
The report examines the practices of nine data brokers: Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intellius, PeekYou, RapLeaf, and Recorded Future. It concludes that the data gathering industry in the US operates without meaningful transparency or public accountability and recommends that Congress consider legislation to address those deficiencies.
"The extent of consumer profiling today means that data brokers often know as much -- or even more -- about us than our family and friends, including our online and in-store purchases, our political and religious affiliations, our income and socioeconomic status, and more," said FTC Chairwoman Edith Ramirez in a statement. "It's time to bring transparency and accountability to bear on this industry on behalf of consumers, many of whom are unaware that data brokers even exist."
The report finds that data brokers have information on almost every US consumer, collect billions of data points every month, and often share this information with other data brokers. The companies collect information about what people buy, their social media activity, product registrations, magazine subscriptions, religious and political affiliations, and a variety of other details. They combine online and offline information to create categorical profiles, some of which might offend those so characterized or might be considered sensitive because they focus on ethnicity, income, education level, or health conditions.
For example, categories such as "Urban Scramble" and "Mobile Mixers" include a high-concentration of Latinos and African Americans with low incomes. The category "Rural Everlasting" refers to "single men and women over the age of 66 with 'low educational attainment and low net worths.' " Other categories include those believed to be pregnant, those concerned about diabetes, and those concerned about high cholesterol.
The report notes these categorizations could create costs for consumers if, for example, insurance companies elect to use these profiles to evaluate individuals' health or injury risks.
Peggy Hudson, senior VP of government affairs for the Direct Marketing Association, said in an emailed statement that the DMA has long supported transparency and consumer choice through services like DMAchoice, for opting out of mailings, and through cooperation with the Digital Advertising Alliance.
Hudson contends that, despite thousands of pages of documentation and two years of investigation, the FTC report "finds no actual harm to consumers, and only suggests potential misuses that do not occur."
Daniel Castro, director of the Center for Data Innovation, a think data promoting data usage in business that's affiliated with the Information Technology and Innovation Foundation, said in an emailed statement that forcing companies to provide consumers with notice after every transaction would hinder commerce while doing little to promote consumer trust. "The FTC seems to be stuck in a notice-and-choice world while everyone else is trying to move on," he said.
In a follow-up email, Castro elaborated on why he believes notice-and-consent, the traditional privacy paradigm, is no longer relevant. He favors the term "notice-and-choice," perhaps because the absence of "consent" implies a transgression of some sort. The absence of choice merely suggests a more limited menu of options.
"The problem with notice-and-choice is it's disruptive to the free flow of data," said Castro. "For example, if Google had to serve up (in the words of the FTC) a 'prominent notice to consumers' every time somebody clicked 'search,' we wouldn't have things like Google Flu trends."
Castro argues that notice-and-choice worked for the world of paper records, but breaks in the digital world, in terms of online products and services. "You don't see a lot of petitions asking the government 'please require websites to give us more pop-up notices.' Or citizens calling their members of Congress saying they wish their hair stylists and plumbers would be like their doctors and give them a HIPAA-like privacy notice before providing them a service."
Castro, like Hudson, chides the FTC report for its focus on "speculative harms." Yet, such data gathering represents a speculative harm in part because there's so little transparency. How is an individual to know whether he or she has been harmed by a data transaction -- through a higher insurance premium, for example -- if the data broker does not reveal what data was sold and the data buyer does not explain the data's impact on decision making?
Perhaps more to the point, privacy is not measured by the absence of harm. An unknown person standing in your bedroom at night may not do any harm. But you would probably prefer more privacy, even with the assurance that your lurking guest merely wants to see if you're in the market for sleeping pills.
Federal Trade Commission report calls for restrictions on data brokers, finds companies gather billions of consumer transactions daily, largely without public knowledge.
Companies that silently gather data on consumers should be more transparent about what they do and should give consumers more control over the information they collect, a Federal Trade Commission report said Tuesday.
The report examines the practices of nine data brokers: Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intellius, PeekYou, RapLeaf, and Recorded Future. It concludes that the data gathering industry in the US operates without meaningful transparency or public accountability and recommends that Congress consider legislation to address those deficiencies.
"The extent of consumer profiling today means that data brokers often know as much -- or even more -- about us than our family and friends, including our online and in-store purchases, our political and religious affiliations, our income and socioeconomic status, and more," said FTC Chairwoman Edith Ramirez in a statement. "It's time to bring transparency and accountability to bear on this industry on behalf of consumers, many of whom are unaware that data brokers even exist."
The report finds that data brokers have information on almost every US consumer, collect billions of data points every month, and often share this information with other data brokers. The companies collect information about what people buy, their social media activity, product registrations, magazine subscriptions, religious and political affiliations, and a variety of other details. They combine online and offline information to create categorical profiles, some of which might offend those so characterized or might be considered sensitive because they focus on ethnicity, income, education level, or health conditions.
For example, categories such as "Urban Scramble" and "Mobile Mixers" include a high-concentration of Latinos and African Americans with low incomes. The category "Rural Everlasting" refers to "single men and women over the age of 66 with 'low educational attainment and low net worths.' " Other categories include those believed to be pregnant, those concerned about diabetes, and those concerned about high cholesterol.
The report notes these categorizations could create costs for consumers if, for example, insurance companies elect to use these profiles to evaluate individuals' health or injury risks.
Peggy Hudson, senior VP of government affairs for the Direct Marketing Association, said in an emailed statement that the DMA has long supported transparency and consumer choice through services like DMAchoice, for opting out of mailings, and through cooperation with the Digital Advertising Alliance.
Hudson contends that, despite thousands of pages of documentation and two years of investigation, the FTC report "finds no actual harm to consumers, and only suggests potential misuses that do not occur."
Daniel Castro, director of the Center for Data Innovation, a think data promoting data usage in business that's affiliated with the Information Technology and Innovation Foundation, said in an emailed statement that forcing companies to provide consumers with notice after every transaction would hinder commerce while doing little to promote consumer trust. "The FTC seems to be stuck in a notice-and-choice world while everyone else is trying to move on," he said.
In a follow-up email, Castro elaborated on why he believes notice-and-consent, the traditional privacy paradigm, is no longer relevant. He favors the term "notice-and-choice," perhaps because the absence of "consent" implies a transgression of some sort. The absence of choice merely suggests a more limited menu of options.
"The problem with notice-and-choice is it's disruptive to the free flow of data," said Castro. "For example, if Google had to serve up (in the words of the FTC) a 'prominent notice to consumers' every time somebody clicked 'search,' we wouldn't have things like Google Flu trends."
Castro argues that notice-and-choice worked for the world of paper records, but breaks in the digital world, in terms of online products and services. "You don't see a lot of petitions asking the government 'please require websites to give us more pop-up notices.' Or citizens calling their members of Congress saying they wish their hair stylists and plumbers would be like their doctors and give them a HIPAA-like privacy notice before providing them a service."
Castro, like Hudson, chides the FTC report for its focus on "speculative harms." Yet, such data gathering represents a speculative harm in part because there's so little transparency. How is an individual to know whether he or she has been harmed by a data transaction -- through a higher insurance premium, for example -- if the data broker does not reveal what data was sold and the data buyer does not explain the data's impact on decision making?
Perhaps more to the point, privacy is not measured by the absence of harm. An unknown person standing in your bedroom at night may not do any harm. But you would probably prefer more privacy, even with the assurance that your lurking guest merely wants to see if you're in the market for sleeping pills.
Wednesday, June 4, 2014
Malware creation breaks all records! 160,000 new samples every day
net-security.org
Malware creation has broken all records during this period, with a figure of more than 15 million new samples, and more than 160,000 new samples appearing every day, according to Panda Security.
Trojans are still the most abundant type of new malware, accounting for 71.85% of new samples created during Q1. Similarly, infections by Trojans were once again the most common type of infection over this period, representing 79.90% of all cases.
In the area of mobile devices, there have been increasing attacks on Android environments. Many of these involve subscribing users to premium-rate SMS services without their knowledge, both through Google Play as well as ads on Facebook, using WhatsApp as bait.
Along these lines, social networks are still a favorite stalking ground for cyber-criminals, The Syrian Electronic Army group, for example, compromised accounts on Twitter and Facebook, and tried to gain control of the facebook.com domain in an attack that was foiled in time by MarkMonitor.
During the first three months of the year we have witnessed some of the biggest data thefts since the creation of the Internet, and as expected, Cryptolocker, the malicious file-encrypting ransomware which demands a ransom to unblock files, has continued to claim victims.
"Over these months, levels of cyber-crime have continued to rise. In fact, we have witnessed some of the biggest data thefts since the creation of the Internet, with millions of users affected”, explains Luis Corrons.
So far in 2014, Trojans are still the malware most commonly used by cyber-criminals to infect users. According to data from PandaLabs, four out of five infections around the world were caused by Trojans, that’s 79.90% of the total. Viruses are in second place, accounting for 6.71% of infections, followed by worms, with a ratio of 6.06%.
Trojans also top the ranking of newly created malware, accounting for 71.85% of the total, followed by worms, at 12.25%, and viruses at 10.45%.
The global infection rate during the first three months of 2014 was 32.77%. China is once again the country with most infections, with a rate of 52.36%, followed by Turkey (43.59%) and Peru (42.14%). Although Spain is not in the top ten of this ranking, it is still above the global average with 33.57%.
European countries ranked high among the least infected countries, with the best figures coming from Sweden (21.03%), Norway (21.14%), Germany (24.18%) and Japan, which with a ratio of 24.21%, was the only non-European country in the top ten of this list.
Malware creation has broken all records during this period, with a figure of more than 15 million new samples, and more than 160,000 new samples appearing every day, according to Panda Security.
Trojans are still the most abundant type of new malware, accounting for 71.85% of new samples created during Q1. Similarly, infections by Trojans were once again the most common type of infection over this period, representing 79.90% of all cases.
In the area of mobile devices, there have been increasing attacks on Android environments. Many of these involve subscribing users to premium-rate SMS services without their knowledge, both through Google Play as well as ads on Facebook, using WhatsApp as bait.
Along these lines, social networks are still a favorite stalking ground for cyber-criminals, The Syrian Electronic Army group, for example, compromised accounts on Twitter and Facebook, and tried to gain control of the facebook.com domain in an attack that was foiled in time by MarkMonitor.
During the first three months of the year we have witnessed some of the biggest data thefts since the creation of the Internet, and as expected, Cryptolocker, the malicious file-encrypting ransomware which demands a ransom to unblock files, has continued to claim victims.
"Over these months, levels of cyber-crime have continued to rise. In fact, we have witnessed some of the biggest data thefts since the creation of the Internet, with millions of users affected”, explains Luis Corrons.
So far in 2014, Trojans are still the malware most commonly used by cyber-criminals to infect users. According to data from PandaLabs, four out of five infections around the world were caused by Trojans, that’s 79.90% of the total. Viruses are in second place, accounting for 6.71% of infections, followed by worms, with a ratio of 6.06%.
Trojans also top the ranking of newly created malware, accounting for 71.85% of the total, followed by worms, at 12.25%, and viruses at 10.45%.
The global infection rate during the first three months of 2014 was 32.77%. China is once again the country with most infections, with a rate of 52.36%, followed by Turkey (43.59%) and Peru (42.14%). Although Spain is not in the top ten of this ranking, it is still above the global average with 33.57%.
European countries ranked high among the least infected countries, with the best figures coming from Sweden (21.03%), Norway (21.14%), Germany (24.18%) and Japan, which with a ratio of 24.21%, was the only non-European country in the top ten of this list.
Subscribe to:
Posts (Atom)