Supervalu / LoyaltyBuild Hack

Hotblack Desiato

According to this Irish Times article http://www.irishtimes.com/news/technology/number-hit-by-clare-cyber-attack-climbs-to-1-5-million-1.1592584 it appears that card numbers including CVV were stored unencrypted. This is strictly amateur hour stuff, I hope the DPC rides these guys sideways.

Meanwhile nobody is saying which companies provided the remainder of the 1.5 million customers :mad:

tred

ninja900 wrote: »

According to this Irish Times article http://www.irishtimes.com/news/technology/number-hit-by-clare-cyber-attack-climbs-to-1-5-million-1.1592584 it appears that card numbers including CVV were stored unencrypted. This is strictly amateur hour stuff, I hope the DPC rides these guys sideways.

Meanwhile nobody is saying which companies provided the remainder of the 1.5 million customers :mad:

Agreed, this is nuts. I am nearly sure i read yesterday from loyaltybuild, "we dont store CVS, and dont keep cards longer than 3 months". I suspect some idiot was logging data somewhere, including all the card numbers, and this was comprimised. Seen as they ahve the card numbers and names of people comprimised they should contact everyone, and say, "the card ending in these last 4 digits" could be comprimsed. I had a couple of cards i could have used...i dont fancy cancelling them all. interestingly this morning, the reason the revenue commissioners are asking for the property tax for this year for those who paid by cards is, they couldnt hold onto the credit card details in the system by LAW!

Khannie

ninja900 wrote: »

According to this Irish Times article http://www.irishtimes.com/news/technology/number-hit-by-clare-cyber-attack-climbs-to-1-5-million-1.1592584 it appears that card numbers including CVV were stored unencrypted.

Oh dear. That is very, very bad. That makes my inner security soul cry.

Padraig Mor

Khannie wrote: »

Oh dear. That is very, very bad. That makes my inner security soul cry.

Should they even have had the numbers in the first place? I would have thought only the banks involved should have had this access? (know nothing about this area - apologies if I'm well off!).

Khannie

Padraig Mor wrote: »

Should they even have had the numbers in the first place? I would have thought only the banks involved should have had this access? (know nothing about this area - apologies if I'm well off!).

They may have been given the authority (by the customers) to retain CC information (like Amazon do, for example).

Mod: This thread has two distinct aspects to it - InfoSec and Consumer / Banking issues. I'm going to move the original thread to Banking and fire up a new thread in here for InfoSec related discussion around this monumental balls up, splitting out relevant posts.

Khannie

Aaaah. That's better.

On the InfoSec side, as I said, it really hurts to think that people are this sloppy. That company is now unquestionably dead. Nobody would reasonably use them for anything ever again. The cost of proper security is something that I find people moaning about a lot, but the cost of something like this to a business is devastating. It's always safest to assume that a hacker has already breached your network, because, you know, they have.

Padraig Mor

Khannie wrote: »

They may have been given the authority (by the customers) to retain CC information (like Amazon do, for example).

Mod: This thread has two distinct aspects to it - InfoSec and Consumer / Banking issues. I'm going to move the original thread to Banking and fire up a new thread in here for InfoSec related discussion around this monumental balls up, splitting out relevant posts.

I ALWAYS decline invitations to store CC details and strangely enough I've received no correspondence from Supervalu despite having booked in the relevant period - maybe I was lucky?

Blowfish

Spotted this 2009 article on Brian Honan's twitter: http://bestconnected.enterprise-ireland.com/case-study-loyaltybuild/

Loyaltybuild: PCI compliance

Earlier this year, Loyaltybuild achieved Payment Card Industry compliance – a standard created by the main credit card vendors worldwide to help e-merchants ensure high levels of security and protection over customer financial details.

The standard covers everything from having antivirus software and intrusion protection systems installed, to secure practices around applications and best practice around documentation and operational procedures.

“It’s an exhaustive and stringent standard, but one worth achieving,” says Egan. “It was a major undertaking but it brings huge benefits in terms of trust from your customers, who know that you have a certain standard of security protecting their credit card information. It also improves the general security around the company because it touches on so many different areas.”

Loyaltybuild has made substantial investments in IT solutions, but there are more improvements in the pipeline. The company is looking at the possibility of migrating its websites to a new platform (from ColdFusion to RIA) to improve end-user experience, increase modularity and enable the in-house development team to add a greater variety of features going forward.

How the hell were they compliant when everything was unencrypted and they were storing CVV's?

padraig.od

I'd *guess* the main datastore was secured but some other code, like an app logger was not? Any basic audit would have found the encryption lacking inbthe datastore

Stheno

Blowfish wrote: »

Spotted this 2009 article on Brian Honan's twitter: http://bestconnected.enterprise-ireland.com/case-study-loyaltybuild/

How the hell were they compliant when everything was unencrypted and they were storing CVV's?

They will now potentially incur huge charges for processing credit cards, and end up out of business.

Shockingly sloppy on their part.

How also did it take the best part of 18 months to find the breach and how can they know it ended Jan. 2012?

mneylon

If anyone's interested, we interviewed Brian Honan about the breach earlier today: http://technology.ie/loyaltybuild-brian-honan-explains-security-issues-audio/

rick_fantastic

While storing of sensitive authentication data has always been a big NO-NO, the stringency and depth of the PCI-DSS audit since 2009 has increased massively.

The council will be asking serious questions of their auditors now and rightly so..

Did LoyaltyBuild manage to retain their compliance status in subsequent years?

I can well imagine this was a case that the main CC DB store was encrypted and logdbs were where the SAD was taken from

ifah

Blacknight wrote: »

If anyone's interested, we interviewed Brian Honan about the breach earlier today: http://technology.ie/loyaltybuild-brian-honan-explains-security-issues-audio/

Good interview - thanks Conn.


On a separate note - does anyone know who does the Breach Investigations on behalf of the Data Protection Commissioners ? Is it in-house staff or external ?

RangeR

padraig.od wrote: »

I'd *guess* the main datastore was secured but some other code, like an app logger was not? Any basic audit would have found the encryption lacking inbthe datastore

PCI doesn't allow logging of CC details in the "app log" only a reference. Usually the last 4 digits. Maybe the first 4 too.

ElNino

Why were they storing the card numbers in the first place? Surely the majority of their transactions were once off (e.g. people booking a holiday) and not repetitive transactions.

Stheno

Blacknight wrote: »

If anyone's interested, we interviewed Brian Honan about the breach earlier today: http://technology.ie/loyaltybuild-brian-honan-explains-security-issues-audio/

Good interview, thanks

ifah wrote: »

On a separate note - does anyone know who does the Breach Investigations on behalf of the Data Protection Commissioners ? Is it in-house staff or external ?

They have some internal staff, but bring in external consultants if they need to iirc

TheBoffin

Why were they storing the card numbers in the first place?

Exactly the most worrying part of it is card details being stored from transactions that have already taken place and have been charged/reconciled with the acquiring banks. Surely once its charged for, that's the end of the matter, business done, delete card info.

ChRoMe

TheBoffin wrote: »

Exactly the most worrying part of it is card details being stored from transactions that have already taken place and have been charged/reconciled with the acquiring banks. Surely once its charged for, that's the end of the matter, business done, delete card info.

Thats not the business they are in, its a loyalty company where they attribute points/bonuses to the cards so its perfectly legit that they store the card data.

TheBoffin

Thats not the business they are in, its a loyalty company where they attribute points/bonuses to the cards so its perfectly legit that they store the card data.

Im not talking about Loyalty Cards silly, I am talking about credit cards

ChRoMe

TheBoffin wrote: »

Im not talking about Loyalty Cards silly, I am talking about credit cards

I misread I thought loyaltybuild distributed branded credit/debit cards

rick_fantastic

They were last PCI audited in November 2012

AFFINION INTERNATIONAL
Internet / MOTO payment processing Loyalty Programmes Records Management
November 2012
Trustwave
http://www.AffinionInternational.com

So technically compliant status... I would not like to be the auditor in Trustwave who signed off on that....

RangeR

Not as sophisticated as they were making out. Yesterday and this morning, media reporting on a very sophisticated hacking.

Data was unencrypted, claims Irish data protection commish

Snip of full article wrote:

According to the results of a preliminary investigation by the Office of the Data Protection Commissioner (ODPC), credit card and – contrary to all payment storage rules - CVV details were held unencrypted on Loyaltybuild's systems in the run-up to attacks in the middle of October.

CVV - Card Verification Value - numbers are the three-digit security code found on the back of a credit or debit card, used to prove that a customer making an online purchase has physical possession of the card. They are an important anti-fraud measure.

professore

Blowfish wrote: »

Spotted this 2009 article on Brian Honan's twitter: http://bestconnected.enterprise-ireland.com/case-study-loyaltybuild/

How the hell were they compliant when everything was unencrypted and they were storing CVV's?

A client of mine that ironically was working with me on a project with Loyaltybuild, looked into getting PCI compliance for my part of the project, he was quoted 50 grand. I say ironic, since I wouldn't store credit cards period, ever. PCI compliance: another scam to make money for consultants.

Khannie

RangeR wrote: »

Data was unencrypted, claims Irish data protection commish

Muppets.

ChRoMe

professore wrote: »

A client of mine that ironically was working with me on a project with Loyaltybuild, looked into getting PCI compliance for my part of the project, he was quoted 50 grand. I say ironic, since I wouldn't store credit cards period, ever. PCI compliance: another scam to make money for consultants.

Consider actual PCI compliance would have negated the fallout of this attack, its not a scam.

Getting true PCI compliance means some heavy duty security, as it should be.

Hotblack Desiato

rick_fantastic wrote: »

They were last PCI audited in November 2012

AFFINION INTERNATIONAL
Internet / MOTO payment processing Loyalty Programmes Records Management
November 2012
Trustwave
http://www.AffinionInternational.com

So technically compliant status... I would not like to be the auditor in Trustwave who signed off on that....

This is maddening, it's the finance industry/banks all over again. All had 'audits' that weren't worth the paper they were printed on.

DigiNotar got f**ked out of business for incompetence and breach of trust, Trustwave have got plenty of explainin' to do.

ElNino

This article might give some hints as to why LoyaltyBuild retained credit and debit card numbers
http://www.irishexaminer.com/ireland/loyaltybuild-owners-pay-out-30m-in-us-249580.html

TheBoffin

This article might give some hints as to why LoyaltyBuild retained credit and debit card numbers
http://www.irishexaminer.com/ireland...us-249580.html

Refunds or not, they should not be storing card details after the transaction completes. If refunds were to be made then they should have been made by cheque.

The only time ANY payment card details should be stored is if a card payment authority is set up for one or more transactions and the customer is notified about it.

Hotblack Desiato

It gets worse.

http://www.irishtimes.com/news/consumer/customers-of-eight-more-firms-have-personal-data-stolen-1.1595359

Customers of a further eight companies including Clerys, Centra, Postbank and Pigsback have had their personal information stolen in the data breach at Co Clare-based company Loyaltybuild.

Credit card information of customers of Clerys’ loyalty travel scheme as well as personal details including names, addresses, phone numbers and email addresses are now know to have been stolen in the cyber attack. Non-financial information of customers of Centra, vouchers website PigsBack, Postbank Ireland and a small Ennis orthodontics company called TOG were also compromised.

Credit card details of Stena Line customers in Northern Ireland have also been compromised as have a small number of credit card details and the personal data of customers of Northern Unislim.

Loyaltybuild said last night that it had ceased taking bookings on its website and over the phone, effectively shutting down its operation.

‘Give customers confidence’

“We have done this to enable our external data experts to complete their investigation into the attack and to put into place the necessary protections and certifications to give our customers the highest degree of confidence when booking with us in the future,” the company’s general manager Peter Steenstrup said.

They still think their pathetic company has a future?

Khannie

ninja900 wrote: »

They still think their pathetic company has a future?

I'm sure they're screwed. I can't see anyone recovering from something like this but I'm also sure that management should and will try very hard to keep peoples jobs.