Breach Stories

The National Retailer

In January 2007, TJ Maxx announced that certain persons had obtained unauthorized access to its computer systems enabling them to seize cardholder data and other personally identifiable information. A coalition of attorneys general conducted an extensive investigation into the retailers data security policies and procedures in place when the breach occurred.

It was recently announced that TJ Maxx has settled charges with 41 states and agreed to pay $9.75 million to the states and to implement and maintain a comprehensive information security program, designed to safeguard consumer data and address anyweaknesses in TJ Maxx's systems in place at the time of the breach.

The South Carolina Restaurant

In South Carolina, a small chain of tourist restaurants purchased new computers and a PCI compliant version of a dining software for each of their locations. Not long after installation, the merchant was notified by Visa/MasterCard that over 150 cards had reported fraudulent activity. The common thread for each of these cards was this particular restaurant chain.

The restaurant lost its ability to process transactions through their newly purchased system, as it was suspended. The chain had no other option but to purchase standalone terminals to continue processing transactions. Not surprisingly, this caused a great deal of issues with both servers and customers of the restaurant. Additionally, they were required to hire a"Qualified Security Assessor" to do a forensic study on the suspended system which cost them $20,000.

The findings of the forensic study are as follows.

Their installer had given the merchant a "previously installed computer" which had not had its system cleaned prior to implementation in the restaurant. Over 60,000 credit card numbers were found on the system from the previous owner. The merchant also set up remote access with his computer admin and the access was compromised allowing the criminals to get to any stored information desired.

The merchant is now waiting on their fine to be decided upon by the card associations. Fines which could easily top $75,000.

The Tennessee Retailer

In a mid-sized town in Tennessee, a local merchant had their retail shop broken into and several inventory items were stolen. Soon after, the merchant began receiving calls from customers expressing their frustrations that their credit cards had been compromised since they used them at the merchant's shop. As the calls started mounting, the merchant did a little digging and realized that the receipts he kept, which contained full credit card numbers (a clear violation of PCI compliance), had also been stolen during the robbery.

After this realization Visa/MasterCard stepped in. The merchant had to contact all of their customers from the last three months of sales, to explain the situation and salvage their patronage. While some customers returned, the retail shop has suffered severely since the incident.

The merchant is currently awaiting the fines from the card associations.

The Alaska Auto Dealer

An Alaskan auto dealership was processing credit cards through PC software. A few months back, they received a call from Visa/MasterCard informing them that several thousand card numbers had been compromised through them. Due to the magnitude of the breach, they had their merchant account revoked and are no longer able to accept credit cards.

After researching the cause of the breach, it was discovered that the merchant gave remote access from his system to an employee. That employee then maliciously loaded programs onto the system to collect stored card information.

The inability to accept credit cards has been an understandable strain to the dealership. Additionally, at this point the merchant has been penalized $10,000 and is awaiting further fines.

Recent High-Profile Breaches

  • A waitress in a Memphis restaurant used a magnetic card reader to steal credit card information from some 150 customers of her employer's restaurant.
  • Card-skimming devices were used at Sam's Club gas stations to steal credit card information from 600 customers.
  • DSW Shoe Warehouse had information from 1.4 million customers stolen from its computers system.
  • A Veterans Affairs data analyst took home a laptop containing personal data for 26.5 million veterans and their spouses that was later stolen in a home burglary.
  • A hacker installed a keylogger to record every character typed on 13 Kinko's computers in Manhattan and later sold the data.
  • A computer server stocked with credit card information was stolen during a burglary at a HoneyBaked Ham store.
  • A hacker accessed the computer system at a Wyndham Hotels and Resorts location and downloaded the personal debit and credit card account data of an estimated 21,0000 customers.
© 2010. Electronic Merchant Systems. Electronic Merchant Systems is a registered ISO/MSP for Chesapeake Bank and Merrick Bank.