Monday, August 18, 2014 at 2:14PM

A massive data breach has been suffered by Jewel-Osco through which information of millions of customers may have been exposed.

A spokeswoman of the parent company of Jewel-Osco, AB Acquisitions, said that as of now, it hasn't been determined as to any card data has been stolen. There is no evidence that the data of any customers has been stolen or the data of customers being misused. The investigation continues. This hack may have started somewhere around 22nd of June and may have ended around 17th of July.

On the basis of the information that was revealed, Acme stores in New Jersey, Delaware, Maryland and Pennsylvania, Jewel-Osco stores in Indiana, Illinois and Iowa, and Star and Shaw's Markets stores in Rhode, New Hampshire, Vermont, Massachusetts and Maine were affected.

The Chief Information Officer and Senior Vice President at AB Acquisitions, Mark Bates, said that they are aware of customers being concerned about the security of the payment gateway or the credit card data and that they are working hard for protecting it. As soon as this incident was notified, they started working closely with Supervalu for determining what happened.

Supervalu Inc. is the former owner of Jewel-Osco and the payment technology in question is handled by it. The company says that it is working with Jewel Osco on this problem. Even the stores of Supervalu were affected, although no evidence of data misuse was seen.

In response to this breach, customers are being offered 1 year of free identity theft protection. Various security concerns are raised by the fact that the data breach has been just discovered.

If someone's data is stolen then they could have known it quickly. However, in spite of these concerns, it is believed that data breach is contained and the cards can be used in stores again.

Tuesday, August 12, 2014 at 4:23PM

A cybersecurity firm said it has uncovered about 1.2 billion Internet logins and passwords and more than 500 million email addresses amassed by a Russian crime ring, the largest known collection of such stolen data, The New York Times reported on Tuesday.

Hold Security of Milwaukee, Wisconsin, which discovered the credentials, said they were stolen from some 420,000 websites, according to the report.

Hold Security declined to identify the sites that were breached, citing non-disclosure agreements and concerns that they remained vulnerable to attack, the paper reported on its website.

"Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable," the New York Times quoted Alex Holden, the founder of Hold Security, as saying.

Reuters could not independently confirm the details of the report.

Dmitri Alperovitch, chief technology officer of the cybersecurity firm CrowdStrike told Reuters that the stolen passwords could be used to access other accounts beyond the ones on sites that were breached because people commonly use the same passwords for multiple sites.

"A compromise like this could mushroom," said Alperovitch.

Hold Security in February said it had uncovered stolen credentials from some 360 million accounts that were available for sale on cyber black markets.

Monday, July 28, 2014 at 2:29PM

This Week In Credit Card News: Card Breach at Goodwill, Where Are Debit Card Rewards?

Will Debit Card Rewards Become a Perk of the Past?

Banks are still struggling to regain their footing from the financial collapse and resulting Great Recession. As profits shrink and expenses expand, the biggest banks in America are shedding thousands of jobs, cutting lobby services, shutting down branches and trimming–or eliminating–debit card rewards. Is it just short-term penny pinching or long-term cost cutting? [U.S. News and World Report]

Card Breach at Goodwill Industries

Heads up, bargain shoppers: Financial institutions across the country report that they are tracking what appears to be a series of credit card breaches involving Goodwill locations nationwide. For its part, Goodwill Industries International Inc. says it is working with the U.S. Secret Service on an investigation into these reports. Headquartered in Rockville, Md., Goodwill Industries International, Inc. is a network of 165 independent agencies in the United States and Canada with a presence in 14 other countries. According to sources in the financial industry, multiple locations of Goodwill Industries stores have been identified as a likely point of compromise for an unknown number of credit and debit cards. [Krebs On Security]

Six Indicted in Alleged Hack of StubHub Customers' Credit Cards

An international cyber-crime ring was able to take over StubHub user accounts to steal identifying information and use victims' credit cards to purchase tickets to concerts and sporting events, authorities announced Wednesday. Six people were indicted in connection with the alleged scheme to defraud users on the popular online ticket marketplace. StubHub, an EBay subsidiary, allows customers to buy and sell tickets to concerts, sporting events and other live entertainment. The company, according to authorities, discovered that more than a thousand accounts had been compromised by hackers who were fraudulently hijacking users' credit cards. [Los Angeles Times]

Medical Credit Cards: Why They Can Cost You Big

The high cost of dentistry is apparently fueling a burgeoning market in medical credit cards, with more than 4.4 million Americans financing their root canals, orthodontia and other medical and veterinary procedures this way. These cards, which charge interest rates ranging from 10 percent to nearly 30 percent, help consumers pay for medical services that are not covered by health insurance, according to a recent study by the Government Accountability Office. And they're are great deal for the dentists, doctors, veterinarians and other medical professionals that offer them because the credit issuer provides payment to the doctor for the cost of the service, usually within 72 hours of processing the credit application, without forcing the medical provider to even wait until the service was provided. [MarketWatch]

3 Security Strategies Worth Considering Along With EMV, BYOD

A spate of high-profile data breaches and the ongoing threats posed by antiquated magnetic stripe technology has created the need for transformation across the retail and financial sectors – including the upcoming adoption of Europay-MasterCard-Visa (EMV) global standard chip cards throughout the U.S. But while the shift to EMV technology will mitigate risk for counterfeit card fraud, it will amplify the threat of online attacks. [Business Solutions]

PayPal Is Keeping eBay Afloat

PayPal, the online payment processor owned by eBay, may be the big thing keeping the parent company afloat. eBay has seen a steady decline in its revenue, especially after a data breach discovered in May of this year. According to their second quarter figures, PayPal grew by four million accounts, bringing their total number of accounts to 150 million. The company saw a growth of 29% in total payment volume and 21% in total number of payments compared to the same time last year. PayPal's transaction related revenues increased by 18%, which is more than twice the growth rate for the industry. [LowCards.com]

Consumers Soon Will be Able to Turn Their Credit and Debit Cards Off and On to Prevent Fraud

In what might be a huge breakthrough to curb credit and debit card fraud, new technology is set to take off that will offer customers the ability to turn their cards off and on at a moment's notice using their smart phone. If the credit card is off, it can't be used for anything. If it's turned on, it can be used within seconds for a specific transaction, and then turned off again. Or customers can choose to ban purchases that occur in other states, or online, or at certain types of merchants. [Cleveland Plain Dealer]

Wednesday, June 4, 2014 at 12:48PM

By Bob Johnson, NAID CEO

Is mold in wet paper records a problem? Paper records get wet. It happens more than you might
think. Sometimes, file boxes that are stored in the lowest rent portions of the building, usually dank
and dark, get wet. Maybe there was a plumbing leak. Maybe there was a flood, hurricane, or leaky
roof. And, when office and storage buildings catch fire, sprinklers and firemen with water hoses often
target records storage areas since they represent the most fuel. Even a dank old basement can make
stored records wet to a degree. The point is that paper records have many occasions to get wet in a
number of ways.

Deep inside any stack of wet paper, boxed or not, it is dark and warm, which creates optimal
conditions for the growth of mold. In the last few years, mold has become one of the most feared and
least understood health hazards out there. It has caused people to level perfectly good homes. It has
spawned personal injury lawsuits. And, it has caused insurance underwriters to exclude damage from
mold and mold-remediation from home insurance policies.

So it is a quite logical that when document destruction companies are faced with the destruction of
paper that is or was recently wet, they are concerned about the welfare of employees, health code
violations, and future personal injury claims or regulatory penalties.

What's the big deal?

Mold is part of the natural environment. It is a type of fungi found everywhere – inside and outside –
throughout the year. There are about 1,000 species of mold found in the United States and 100,000
known species worldwide.

Mold grows on almost any substance, as long as moisture, oxygen, and an organic source are
present. Mold affects everything around it because when mold produces tiny spores (i.e., viable
seeds) that usually cannot be seen without magnification. Mold spores continually float in the air, both
indoors and outdoors.

According to the Occupational Safety and Health Administration (OSHA) website, "Currently, there
are no federal standards or recommendations (e.g., OSHA, NIOSH, and EPA) for airborne
concentrations of mold or mold spores."

Typically, most indoor air exposures to mold do not present an adverse risk to a person's health;
however, some can produce allergens, which are substances that cause allergic reactions. The onset
of allergic reactions to mold can be either immediate or delayed. Allergic responses include hay fever-type symptoms such as runny nose and red eyes.

Mold may cause localized skin or mucosal infections but, in general, it does not cause systemic
infections in humans, except for persons with impaired immunity, AIDS, uncontrolled diabetes, or
those taking immune suppressive drugs. Also, mold can cause asthma attacks in some individuals
who are allergic. In addition, exposure to mold can irritate the eyes, skin, nose and throat in certain
individuals. Symptoms other than allergic and irritant types are not commonly reported as a result of
inhaling mold in the indoor environment.

Handling wet records
© 2012 National Association for Information Destruction, Inc. - All Rights Reserved 1

In the life of every secure destruction company, the call to remove wet records will come. The first
question should be: How wet? The second question is: How long have they been wet?

The reason for knowing how wet they are is pretty obvious. If they are dripping wet, there are
probably have more logistical issues than health issues. Moving and destroying soaking wet paper
presents many challenges that would make a great subject of discussion on its own.

But, as to the issue at hand, namely destroying mold-laden paper, the duration is more relevant.
Soaking wet paper most likely got that way in a recent event where mold has not had the opportunity
to take hold. On the other hand, damp paper that was exposed to damp conditions over a long period
of time or was dried out is more likely to have mold issues. A notable exception to this rule is when
records are soaking wet because they were exposed to flood waters or sewage overflows. Those
records would have extremely rough logistical and health issues.

To be clear, if the records were ever wet, it is pretty much the same risk as if they are currently wet.
According to OSHA, the risk is virtually the same "since the chemicals and proteins, which can cause
a reaction in humans, are present even in dead mold."

How to treat moldy records

Disaster recovery experts suggest you approach projects involving potentially mold-laden paper the
same way you would approach any mold remediation issue. The truth is that even if mold has begun
to grown in the paper, it is highly unlikely that toxic molds are present. The problem is, however, in
the remote chance they are present, there are serious ramifications to the health of those handling
them.

According to Beth Lindblom Patkus of the Northeast Document Preservation Center in Andover,
Mass., a mycologist should be consulted to insure that no toxic mold species are present. She said
local hospitals and health departments can provide references of companies that do field tests for the
presence of such toxic molds. If the wet or damp materials do contain toxic mold, your work is done
unless you are in the business of cleaning up biohazard waste.

If you have established that the materials do not contain toxic mold, it is safe to arm healthy
individuals to process the materials. Under no circumstances should employees with AIDS,
uncontrolled diabetes, or those taking immune suppressive drugs be exposed or allowed to process
the materials. In addition, consideration may be given to employees with allergic reactions to airborne
substances.

It is advised that even healthy employees sent into these circumstances need to wear a protective air
filter. OSHA recommends personnel "be equipped with respiratory protection (e.g., N-95 disposable
respirator). Respirators must be used in accordance with the OSHA respiratory protection standard
(29 CFR 1910.134). Gloves and eye protection should be worn."

Also, avoid eating, drinking, and using tobacco products and cosmetics where mold remediation is
taking place. This will prevent unnecessary contamination of food, beverages, cosmetics, and
tobacco products by mold and other harmful substances within the work area.

Loading and transporting

© 2012 National Association for Information Destruction, Inc. - All Rights Reserved 2
The trick to removing the materials from storage is to minimize exposure. To effectively isolate the
wet materials, plastic bags can be use to seal it up. Alternatively, if mobile containers have lids that
seal tightly, bagging may be unnecessary. In that case, both to minimize health concerns and
customer peace of mind, the materials should not be carried unprotected through an area where it
could be exposed to the clients and employees.

Destruction

Most information destruction equipment is not effective in destroying wet paper. Therefore, if it is still
wet, it must be land-filled, incinerated or left until it is dry.

With dry material, there are fewer restrictions on how the materials can be destroyed, but there is no
less judgment required in making the decision on how to proceed. Factors that service providers may
want to consider are the amount of the material, whether they have air cleaning capability (and their
faith in it), the extent and duration of the materials that were exposed to the mold-creating
environment, and whether there is a capability to isolate the destroyed materials from the other
materials that are stored for eventual recycling.

In case there was any doubt, it is not likely that the destruction process itself will appreciably change
the mold or mold-remnants that were originally in the materials. They will, however, significantly
increase the likelihood of their aerosol distribution. Employees in the immediate area of the
processing plant, therefore, should also be equipped with the same gear as those who removed the
material from their original dwelling.

Challenges and opportunities

Many information service providers will steer clear of any situation that even hints of a health hazard.
Of course, everyone has their own tolerance for dealing with any suggestion of additional liability. In
reality, however, given the lack of conclusive evidence of a link between non-toxic mold and health
problems, some may view it as an opportunity to offer a value-added service. For the record, NAID is
not aware of mold-related health claims against any information destruction company, stemming from
the destruction of wet, or previously wet, paper media.

What clients need to know

As a service to clients, they need to be aware when they may have an additional health-related
liability when disposing of certain materials. Secure destruction companies that are prepared to
address that liability by having the right personal safety equipment on hand, may find themselves in a
good position to better capitalize on their concerns.

Being ready with the right precautions, answers, systems, trained employees and safety equipment,
could turn out to be profitable occasionally and an interesting point of differentiation. That is not to say
that everyone is going to get rich because they are ready and able to take on such projects. It is more
likely to be a tool that prevents others from serving your existing clients or as way to earn an account.
Keep in mind that in order to help a client dispose of wet or "once wet" materials, you may need
permission to deviate from normal procedures as well as agree to release your firm of the liability for
such deviation. This agreement should be arranged up front and with the advice of legal counsel.

Thursday, April 24, 2014 at 4:31PM

NEW YORK (AP) — While Target's massive data breach last year caused consumers to panic and drew attention to Internet crime, a new study finds that breaches on retailer payment systems are less common than other kinds of attacks.

More than twice as many of last year's Internet data breaches resulted from various small online acts, such people clicking on malicious Web links and choosing easy-to-guess passwords, according to a worldwide report from Verizon.

The report, considered to be one of the top annual looks at Internet-related crime, includes information from 50 organizations ranging from law enforcement to security companies. The report was due out Wednesday.

Target Corp.'s breach, one of the largest in history, resulted in the thefts of 40 million credit and debit card numbers, along with the personal information of up to 70 million people. Other companies including fellow retailers Neiman Marcus and Michaels Stores Inc. later announced breaches to their systems as well.

But while such large-scale attacks grab headlines, the number of breaches of payment systems has fallen in recent years. In 2013, there were just 198 recorded breaches of payment systems, representing 14 percent of the year's 1,367 confirmed data breaches.

By comparison, data breaches through attacks on Web applications accounted for 490, or 35 percent, and cases of online espionage covered 306 attacks, or 22 percent.

Verizon says its numbers are not comparable with those from previous reports because its research methods and the number of contributors to the report have changed.

Wade Baker, Verizon's managing principal of research and intelligence, said researchers saw a big increase in attacks on smaller retailers a few years ago. But now, he says, it appears that criminals are going after major retailers that handle millions of debit and credit card numbers and leaving the smaller companies alone, even though they are easier to attack.

And regardless of the type of attack and the motivation behind it, cybercrime has gone from a game to a big business.

"It's very industrialized and very sophisticated," he says. "You can buy software packages that are customized. It's never been easier to turn data into money. Those changes are what drive every big-picture trend that we see."

Other findings in the report:

— Web application attacks continue to be popular. Those attacks generally stem from the theft of an authorized person's credentials, which could happen by cracking an easy password or by getting someone to click a link in an email. Criminals also sometimes exploit coding flaws in a system to gain entry.

The reasons behind those attacks vary. According to the report, 65 percent of Web application attacks last year either stemmed from political motivations or were the acts of thrill seekers, while 33 percent were financially motivated.

— Of last year's recorded cyber espionage attacks, 54 percent were targeted at U.S. victims and 87 percent involved foreign governments. In 49 percent of the cases, the people behind the attacks were located in Eastern Asia and 21 percent came from Eastern Europe.