AB Acquisition LLC and Supervalu Inc. Annouce Second Hacking Incident Involving Payment Card Data Processing


By William Knowles @c4i
Senior Editor
InfoSec News
September 30, 2014

AB Acquisition LLC and Supervalu Inc. are the newest group of retailers that have been hit by security breaches this year. This includes Aaron Brothers, Bartell Hotels, CVS, eBay, Goodwill Industries International Inc., Home Depot, Jimmy Johns, Michaels Stores, Neiman Marcus, Recreational Equipment Inc., Sally Beauty Supply, and Sears.

On September 29, 2014, AB Acquisition LLC, which operates Albertsons stores under Albertson’s LLC and ACME Markets, Jewel-Osco, and Shaw’s and Star Markets under New Albertson’s, Inc., was notified by its third party IT services provider, Supervalu Inc. of a separate, more recent, attempted criminal intrusion seeking to obtain payment card information used in some of its stores. AB Acquisition been informed that a different malware was used in this recently discovered incident than was used in the incident previously announced on August 14, 2014. The investigations into both this incident and the earlier incident are ongoing.

Supervalu Inc. (NYSE: SVUannounced on September 29, 2014 that they also experienced a criminal intrusion into the portion of its computer network that processes payment card transactions at Supervalu’s Shop ’n Save, Shoppers Food & Pharmacy, four franchised Cub Foods stores in Hastings, Shakopee, Roseville (Har Mar) and White Bear Lake, MN, where implementation of the enhanced protective technology had not yet been completed.

For these four franchised stores, Supervalu Inc. believes that the malware may have been successful in capturing account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder’s name, from payment cards used at some checkout lanes during the period of August 27 (at the earliest) through September 21 (at the latest), 2014.

Both companies discovered that, in what it believes to have been late August or early September 2014, an intruder installed different malware into the portion of its computer network that processes payment card transactions

Because the point of sale systems are different across AB Acquisition divisions, Albertsons stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico, Texas and their two Super Saver Foods Stores in Northern Utah were not impacted by this incident. However, Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted. In addition, ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were affected by this new incident.

AB Acquisition LLC and Supervalu Inc. have made no determination that any cardholder data was in fact stolen by the intruder. Given the continuing nature of the investigation, it is possible that time frames, locations, at-risk data, and/or other facts in addition to those described above will be identified in the future.

Both AB Acquisition LLC and Supervalu Inc. customers who used their payment cards at those locations listed above during the relevant time period will receive 12 months of complimentary consumer identity protection services through AllClear ID.

Creative Commons License Matt Baume via Compfight

Malware Scam Uses NSA/CSS Seal


National Security Agency Seal

By William Knowles @c4i
Senior Editor
InfoSec News
September 29, 2014

For an agency that for the longest time used to be known as No Such Agency, now thanks to Edward Snowden its on center stage for everyone including malware writers.

The NSA Public Affairs Office is alerting the public of a scam that uses the NSA/CSS seals and banner. Victims of this malware scam report that a pop-up or a locked Internet browser alerts them that they have violated the law and/or are being monitored. Depending on where they are in the world, the latter part is likely true.

The malware scammer may also request that victims pay a fine. This activity and the associated alerts have no affiliation to the federal government, NSA included, and no money should be paid to the scammers.

Victims should consult a computer professional on how to address the computer infection. Victims may also contact the Internet Crime and Complaint Center, a partnership between the FBI and National White Collar Crime Center that accepts Internet-related criminal complaints.

The NSA recommends users looking for more information on malware to review the NIST Guide to Malware Incident Prevention and Handling.

 Photo by DonkeyHotey via CompfightCreative Commons License

216 Jimmy John’s Gourmet Sandwiches Shops Suffer Data Breach

jimmy john's 

By William Knowles @c4i
Senior Editor
InfoSec News
September 24, 2014

Somewhat Freaky Fast Notification.

Champaign Illinois based Jimmy John’s Gourmet Sandwiches Shops have announced on Wednesday they were the latest business to suffer a credit card breach. Joining the ranks of Target, Neiman Marcus, Michaels, and Home Depot.

Here’s the company statement:

On July 30, 2014, Jimmy John’s learned of a possible security incident involving credit and debit card data at some of Jimmy John’s stores and franchised locations. Jimmy John’s immediately hired third party forensic experts to assist with its investigation. While the investigation is ongoing, it appears that customers’ credit and debit card data was compromised after an intruder stole log-in credentials from Jimmy John’s point-of-sale vendor and used these stolen credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16, 2014 and September 5, 2014. The security compromise has been contained, and customers can use their credit and debit cards securely at Jimmy John’s stores.

Approximately 216 stores appear to have been affected by this event. Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online. The credit and debit card information at issue may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date. Information entered online, such as customer address, e-mail, and password, remains secure. The locations and dates of exposure for each affected Jimmy John’s location are listed on AFFECTED STORES & DATES.

Jimmy John’s has taken steps to prevent this type of event from occurring in the future, including installing encrypted swipe machines, implementing system enhancements, and reviewing its policies and procedures for its third party vendors.

We apologize for any inconvenience this incident may have on our customers. Jimmy John’s values the privacy and security of its customers’ information, and is offering identity protection services to impacted customers, although Jimmy John’s does not collect its customers’ Social Security numbers. To take advantage of these services, please visit CONTACTS & INFORMATION. For more information, call (855) 398-6442. In addition, customers are encouraged to monitor their credit and debit card accounts, and notify their bank if they notice any suspicious activity. Additional recommendations for protecting your information can be found at RECOMMENDATIONS.

Jimmy John’s will post information related to its ongoing investigation on the Company’s website, www.jimmyjohns.com

Matthew C. Wright via Compfight

San Diego Hotel Group Suffers Payment Card Breach

Full Moon over San Diego

By William Knowles @c4i
Senior Editor
InfoSec News
September 5, 2014

San Diego based Bartell Hotels has released a statement detailing a data security incident which occurred between February 16, 2014 and May 13, 2014 that may involve certain credit card data, including credit card numbers, and other personally identifiable information.

The payment card systems at the following five locations were compromised by a third party attacker.

Best Western Plus Island Palms Hotel & Marina
Humphreys Half Moon Inn & Suites
The Dana on Mission Bay
Days Hotel–Hotel Circle
Pacific Terrace Hotel

Law enforcement and the credit card brands have been notified of this incident.

Bartell Hotels encourages its guests to remain vigilant by reviewing their account statements, and monitoring their credit reports for suspicious activity. Bartell Hotels also encourages its guests to notify their banks that issued their card(s) of any suspicious activity and to monitor their credit reports.

Bartell Hotels intends to provide affected individuals with credit monitoring and identity protection services through AllClear ID.

Affected consumers of the breach who have any questions, should call their privacy counsel, Kathryn Mellinger, Esquire at 215-977-4070.

Photo by Justin Brown via Compfight

HealthCare.gov Server Compromised by Hackers


By William Knowles @c4i
Senior Editor
InfoSec News
September 5, 2014

Unknown hackers breached a test server with malware on a Health and Human Services (HHS) site that supports the Obamacare insurance website HealthCare.gov

The commonplace malware was designed to launch “denial of service” attacks against other websites, HHS said, and there is no evidence any consumers’ personal information was sent to any external IP address. The attack did not appear to directly target HealthCare.gov, and the server that was targeted did not contain any consumers’ personal information.

The Wall Street Journal reports that the server was connected to more sensitive parts of the website that had better security protections, the officials said. That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information, an official at the Department of Health and Human Services said. There is no indication that happened, and investigators suspect the hacker didn’t intend to target a HealthCare.gov server.

Washington officials said they are concerned an intruder gained access to the HealthCare.gov network through a basic security flaw. The server had low security settings because it was never meant to be connected to the Internet, the HHS official said. When the hacker broke in, it was only guarded by a default password, which often is easy to crack.

It should be noted that the Department of Health and Human Services in the 2014 Annual Report to Congress on the Federal Information Security Management Act [PDF] scored only 43% in 2014 down from 50% in 2013.