The world’s two largest credit card processors have notified U.S. banks of a potential security breach that may affect more than 10 million cardholders, Reuters reported on Friday. MasterCard and Visa have said that the issue was the result of a third-party vendor and not their own internal systems. MasterCard said it has taken the proper steps by alerting law enforcement officials and hiring an independent data-security organization to review the possible breach. “MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information,” the company said in a statement. “If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution.” Visa made sure to emphasize that its customers are not responsible for any potential fraudulent charges. More →
Last year hackers made headlines when AT&T announced to a security breach that had allowed hackers to access the personal data from 114,000 iPad 3G users. On Thursday, 26-year old Daniel Spitler from San Francisco pleaded guilty to two crimes: conspiracy to gain unauthorized access to computers and identity theft. Spitler faces up to 10 years in prison — five years for each count, according to The Wall Street Journal. “Computer hackers are exacting an increasing toll on our society, damaging individuals and organizations to gain notoriety for themselves,” said U.S. Attorney Paul Fishman in New Jersey. “Daniel Spitler’s guilty plea is a timely reminder of the consequences of treating criminal activity as a competitive sport.” Fishman’s statements are clearly also aimed at other hackers; LulzSec and Anonymous, two hacking groups, recently announced that they have joined forces to attack the U.S. government. That’s in addition to recent hacks on Sony — which LulzSec took responsibility for — and Citigroup. Spitler will be sentenced on September 28th. More →
Remember Citigroup’s recent security breach? The firm originally said that 200,000 accounts — 1% of its customers — were compromised, but now Citi is going on record and saying that hackers gained access to a total of “360,083 North America Citi-branded credit cards.” Unfortunately, the company hasn’t provided any details on how the attack occurred, or who was behind it; the infamous hacking group LulzSec, which claimed responsibility for a number of recent high-profile targets including Sony, hasn’t yet mentioned any involvement. If you’re an optimist, the good news is that Citigroup says the number of active accounts affected is actually below the 360,000 figure — because of subsequent account closures — and that the hackers didn’t steal info enough to actually use the credit card numbers. 217,000 customers have already been provided with replacement cards, and California residents were hit the hardest — 80,000 of the numbers stolen were from that state. More →
Capcom senior vice president Christian Svensson has voiced his opinion over the Sony’s massive security breach on the Capcom forums. “As an executive responsible for running a business, the resulting outage [is] obviously costing us hundreds of thousands, if not millions of dollars in revenue that were planned for within our budget,” Svensson said in a public forum response. “These are funds we rely on to bring new games to market for our fans.” Capcom has a storefront that offers users the option to purchase extra game content on the PlayStation Network. Svenesson clarified in another post and added that he — and perhaps Capcom, too — is more frustrated with the hackers than with Sony, which he views as the victim. More →
On Tuesday, Sony issued an update explaining the recent PlayStation Network and Qriocity outages. The company said it has discovered that between April 17th and April 19th, someone broke into its network and stole user information. In an effort to stop the security breach, Sony temporarily killed access to its PlayStation Network and Qriocity services, hired a security firm to investigate, and started beefing up its security measures. However, the leaked information may be alarming to PlayStation network users. Here’s part of Sony’s statement:
We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.
Sony said that it doesn’t think credit card data was taken, but that it will not rule out the possibility, and says that it’s possible credit card numbers – excluding the security codes – may have been obtained by the intruders. The firm advises that its customers “remain vigilant” by closely monitoring credit statements. Sony says the services will be reactivated as soon as possible and that customers can dial 1-800-345-7669 with any questions. Hit the jump for Sony’s official statement. More →
In what may be one of the largest digital security breaches in United States history, millions of customer email addresses have been exposed as a result of a breach at Epsilon. BGR reported on Saturday that TiVo customer email adresses had been compromised as a result of unauthorized access to online marketing company Epsilon’s servers. Following that report, several other companies have come forward to confirm that their customers’ email adresses may have been exposed. Those potentially affected include customers enrolled in Best Buy’s Reward Zone program as well as customers of Citigroup, J.P. Morgan Chase, TiVo, Barclays, Walgreens, U.S. Bancorp, Capital One, HSN and College Board, which represents almost 6,000 different U.S. colleges and universities. “A subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system,” Epsilon said in a statement last week. The company insists that only names and email addresses may have been compromised, and that sensitive information such as social security numbers, credit card numbers and passwords were not accessed.
While the fallout continues over last week’s security breach which saw hackers gain access to the email addresses of some 114,000 AT&T iPad 3G customers continues, AT&T’s VP of public policy and Chief Privacy Officer Dorothy Attwood today sent out an email to everyone of AT&T’s iPad 3G data plan subscribers to explain the situation. While email addresses were obtained by the hackers, Attwood contends that the hackers were unable to access more critical things such as account passwords, AT&T’s network, or user’s iPads. Attwood also said that as soon as AT&T learnt of the hack on June 7th, it took swift action to prevent any further unauthorized exposure of customer email addresses” and patched up the hole which made the hack possible “within hours.” Of course this raises the whole question as to why it took AT&T six days to notify its customers that hackers had gained control of some of their personal information, but we imagine the FBI’s investigation into the matter might help clear some things up. You know, that or the surely dozens of lawsuits that are going to be filed over the matter. Hit up the jump to check out the email in its entirety.
Thanks, Adam! More →
And here comes the FBI. Speaking to Wall Street Journal, an FBI spokesperson confirmed that the FBI has opened an investigation into the security breach which saw the confidential information of some 114,067 iPad 3G owners being retrieved. Despite the claims of Gawker, the site which broke the story, AT&T contends that the issue had been discovered and fixed the day before the story broke. Although security experts claim there it’s unlikely that further harm will come from the leak, there is still the off chance that the email addresses — some of which belong to high level members of the government and military — could fall into the wrong hands of an even worse group of people and become open game for hackers. More →
Um, wow. Gawker revealed today that a group of hackers from Goatse Security (no joke) were recently able to breach AT&T’s servers and obtain confidential user info on a significant amount of AT&T’s iPad 3G users. AT&T eventually patched up the hole in its system after being informed of its existance by Goatse Security, but that was after the confidential information such as email addresses of an estimated 114,067 iPad 3G users — including top level government officials, high-ranking military officers, and Fortune 500 CEOs — were exposed. Here’s how the data was obtained.
When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.
To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such headers identify users’ browser types to websites.
The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it’s not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it’s likely many accounts beyond the 114,000 have been compromised.
It goes without saying that this is an incredibly serious issue, and is one that most definitely gain more exposure over the coming days. In some ways, we have to wonder what is more concerning: the fact that people outside of the Goatse Security are believed to have accessed the information, or that AT&T knew this happened and did not fess up. Either way, we know which one is the least surprising.
It’s not known whether or not Apple was ever made aware of the situation. Both companies have declined to comment on the matter. More →
Following yesterday’s news of a possible security breach at T-Mobile, the carrier has confirmed today it was indeed a victim of data theft. According to the company, internal information posted on the Internet by hackers was authentic. T-Mobile also claims however, that the stolen data does not appear to jeopardize its customers.
Regarding the recent claim on a Web site, we’ve identified the document from which information was copied and believe possession of this alone is not enough to cause harm to our customers.
A bit PR-ish, considering the hackers claim to have obtained several confidential documents along with financial and database data. The unnamed group first tried to sell said information to T-Mobile competitors and when that didn’t work they offered the data up to the highest bidder. Whether or not a sale has taken place is unclear for the time being.