Identity thieves install spyware to monitor transactions from the inside
In a press release timed to coincide with the inauguration of President Barack Obama, credit card processor Heartland Payment Systems announced Tuesday that it suffered a grievous security breach, allowing hackers the opportunity to steal credit card information on what is possibly more than 100 million accounts.
Heartland is the sixth largest payment processor in the country, and specialized in transaction processing for small-to-medium-sized restaurants and retailers. According to Wired’s Thread Level, it processes more than 100 million transactions a month.
Federal investigators determined the source of the breach only last week. Spyware installed somewhere on the company’s internal network that sniffed unencrypted credit card transactions as they passed through Heartland’s systems.
“Heartland believes the intrusion is [now] contained,” read’s the press release.
Actual damage assessments are still in progress, and the real question is just how much data the malware was able to capture. Heartland CFO and president Robert Baldwin, in an interview with BankInfoSecurity.com, said his company was confident that the only data picked up was cardholders’ names and credit card numbers.
Baldwin would not speculate on the actual number of credit card accounts exposed. The company’s press release, however, could confirm that the breach had no effect on the company’s other services, which include payroll and check processing, micropayment solutions, and its “recently acquired” Network Services and Chockstone processing platforms. Similarly, cardholder’s addresses, PIN numbers, and other personal data were also unaffected.
The unknown hackers’ sniffers were able to pick up credit card numbers because the data is sent unencrypted over Heartland’s internal network, a policy that Baldin justified as necessary “to get the authorization request out.”
Late last month, various blogs reported a number of mysterious, fraudulent sub-25-cent transactions appearing on readers’ and bloggers’ credit card statements, coming from a nonexistent company called “Adele Services”. While it appears these events are unrelated, some consider the timing suspicious.
“There is no hard evidence that the company's data leak was responsible for the sudden surge of mysterious microtransaction fees we reported in early December,” writes Ars Technica’s Joel Hruska, “but the timing is extremely coincidental. The December attacks were never successfully attributed to any single company or credit card, but instead affected a seemingly unrelated group of people.”

“Heartland may — and I do stress may — have been the hidden link between them,” he said.

Johannesburg - In today's technology-driven world, it is amazing how many people do not take the steps to protect their information. Specifically, when the information is mobile.

It is evident that people finally understand the value of their information. This includes private information, business-related information and sensitive data belonging to clients. This private and confidential information has an immeasurable value and has disastrous effects on people and businesses if the information is lost or falls into the wrong hands.

John Mc Loughlin, Managing Director of J2 Software

Corporate losses are made up of actual monetary loss, legal fees, hefty settlements, identity theft or loss of reputation and client trust, to name a few.

"Ask those around you what they do to protect their assets and you will get a multitude of answers. This includes burglar bars and alarm systems for homes or businesses; transponder immobilisers and tracking systems for motor cars, armed response, etc. What about your information? Is this not also a prized and most valuable asset worth protecting?" asks John Mc Loughlin , Managing Director of J2 Software.

"I have seen that generally the corrective measures are only put in place once data loss has already occurred," says Mc Loughlin, "rather than taking some simple steps to protect information from the outset."

You have to ask yourself if you are taking the necessary steps to protect your confidential information. Is your data locked up and protected?

T3 SecurityKey plugs into any USB port

"All users need to ensure that their data is instantly locked-down to prevent unauthorised access. A perfect scenario is to provide an 'ignition-key' for your information; without the physical device your data is protected, and so is your identity. The solution must include industry strength data encryption to ensure that even in the extreme case of theft your information remains safe." Mc Loughlin adds. "Finally, you must also ensure that this is encompassed in a single solution which is easy to use for all levels of IT Users, such as the T3 SecurityKey. The people with the most sensitive company information are not always the most IT savvy and what is the use of a comprehensive mobile data protection solution if the person carrying the data refuses to use it?"

J2 Software is a local data security solutions provider and distributor of the T3 SecurityKey and SystemSkan. J2 provides easy to manage, easy to implement and easy to use data security solutions. J2 offers solutions for everyone, from single-users up to large corporations.

J2 Software provides effective and easy to manage data security solutions. We offer you complete peace of mind through the cost effective delivery of world beating data security, encryption and protection tools.

With the continued increase in identity theft and confidential data leakage, the need for our products is not only an advantage, but an absolute necessity.

SAN FRANCISCO (AP) -- A thief stole a laptop computer containing unencrypted personal information of 800,000 people who applied for jobs at Gap Inc., the clothing retailer announced Friday.

The laptop stored Social Security numbers and other data from people in the U.S., Puerto Rico and Canada who applied online and by phone between July 2006 and June 2007 for jobs at Gap, Old Navy, Banana Republic and Outlet stores.

The incident came on the heels of a finding this week by the Canadian government that another international retailer, TJX Cos., hadn't sufficiently encrypted data it stored from customer transactions, and that failure enabled hackers who intercepted wireless communications to steal data on millions of customers.

The break-in gave hackers undetected access to TJX's central databases for a year and a half, exposing at least 45 million credit and debit cards to potential fraud.

Data about job applicants - who must often provide Social Security numbers, job histories, home and e-mail addresses and other information - is a favorite target of hackers.

A security breach last month at online job site Monster.com exposed the confidential information of 1.3 million people looking for jobs.

Gap said the laptop was lifted from the offices of a third-party vendor that manages job applicant data for the San Francisco-based clothier, but the company would not provide the vendor's name or other details of the theft.

The company said job applicants have not notified it of any instances of identity theft or fraud related to the incident.

Storing data without encrypting it to protect it from hackers is contrary to Gap's agreement with the third-party vendor, Gap said Friday.

"What happened here is against everything we stand for as a company," said Gap Chairman and CEO Glenn Murphy. "We're reviewing the facts and circumstances that led to this incident closely, and will take appropriate steps to help prevent something like this from happening again."

Multiple outside companies manage job applicant data for Gap so not everyone who applied for retail work with the company had confidential data compromised. And the laptop did not contain Canadian applicants' Social Insurance Numbers.

Gap is notifying the affected applicants and offering a year of free credit monitoring services with fraud resolution assistance. The company has also set up a 24-hour help line.

Gap, which operates more than 3,100 stores in the United States and five other countries, is working with law enforcement officials to investigate the theft.

There's trouble in paradise after a third-party supplier lost a laptop containing the personal details of hundreds of workers at Cornwall 's Eden Project . The theft of the PC from the car of a worker for Moorepay, the firm that handles the project's payroll, has sparked ID theft fears.

Information held on the PC included the names, addresses, bank particulars, National Insurance numbers for 500 workers at the attraction. It's unclear whether the payroll details of other firms were compromised by the attack.

Tim Smit, Eden 's creator, told the BBC: "A computer containing the personal details of employees of a number of companies, including the Eden Project Ltd, has been stolen from the car of an employee working for a contracted payroll company. Suffice to say we are appalled at the lapse of security and are making sure that our personal data is never put in such a vulnerable position again," he added. Police are investigating the 1 June theft, which became public this week.