Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Supervalu / LoyaltyBuild Hack

  • 13-11-2013 9:18am
    #1
    Registered Users, Registered Users 2 Posts: 36,488 ✭✭✭✭


    According to this Irish Times article http://www.irishtimes.com/news/technology/number-hit-by-clare-cyber-attack-climbs-to-1-5-million-1.1592584 it appears that card numbers including CVV were stored unencrypted. This is strictly amateur hour stuff, I hope the DPC rides these guys sideways.

    Meanwhile nobody is saying which companies provided the remainder of the 1.5 million customers :mad:

    In Cavan there was a great fire / Judge McCarthy was sent to inquire / It would be a shame / If the nuns were to blame / So it had to be caused by a wire.



Comments

  • Registered Users, Registered Users 2 Posts: 1,473 ✭✭✭tred


    ninja900 wrote: »
    According to this Irish Times article http://www.irishtimes.com/news/technology/number-hit-by-clare-cyber-attack-climbs-to-1-5-million-1.1592584 it appears that card numbers including CVV were stored unencrypted. This is strictly amateur hour stuff, I hope the DPC rides these guys sideways.

    Meanwhile nobody is saying which companies provided the remainder of the 1.5 million customers :mad:

    Agreed, this is nuts. I am nearly sure i read yesterday from loyaltybuild, "we dont store CVS, and dont keep cards longer than 3 months". I suspect some idiot was logging data somewhere, including all the card numbers, and this was comprimised. Seen as they ahve the card numbers and names of people comprimised they should contact everyone, and say, "the card ending in these last 4 digits" could be comprimsed. I had a couple of cards i could have used...i dont fancy cancelling them all. interestingly this morning, the reason the revenue commissioners are asking for the property tax for this year for those who paid by cards is, they couldnt hold onto the credit card details in the system by LAW!


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    ninja900 wrote: »
    According to this Irish Times article http://www.irishtimes.com/news/technology/number-hit-by-clare-cyber-attack-climbs-to-1-5-million-1.1592584 it appears that card numbers including CVV were stored unencrypted.

    Oh dear. That is very, very bad. That makes my inner security soul cry.


  • Registered Users, Registered Users 2 Posts: 9,610 ✭✭✭Padraig Mor


    Khannie wrote: »
    Oh dear. That is very, very bad. That makes my inner security soul cry.

    Should they even have had the numbers in the first place? I would have thought only the banks involved should have had this access? (know nothing about this area - apologies if I'm well off!).


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Should they even have had the numbers in the first place? I would have thought only the banks involved should have had this access? (know nothing about this area - apologies if I'm well off!).

    They may have been given the authority (by the customers) to retain CC information (like Amazon do, for example).

    Mod: This thread has two distinct aspects to it - InfoSec and Consumer / Banking issues. I'm going to move the original thread to Banking and fire up a new thread in here for InfoSec related discussion around this monumental balls up, splitting out relevant posts.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Aaaah. That's better. :)

    On the InfoSec side, as I said, it really hurts to think that people are this sloppy. That company is now unquestionably dead. Nobody would reasonably use them for anything ever again. The cost of proper security is something that I find people moaning about a lot, but the cost of something like this to a business is devastating. It's always safest to assume that a hacker has already breached your network, because, you know, they have.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 9,610 ✭✭✭Padraig Mor


    Khannie wrote: »
    They may have been given the authority (by the customers) to retain CC information (like Amazon do, for example).

    Mod: This thread has two distinct aspects to it - InfoSec and Consumer / Banking issues. I'm going to move the original thread to Banking and fire up a new thread in here for InfoSec related discussion around this monumental balls up, splitting out relevant posts.

    I ALWAYS decline invitations to store CC details and strangely enough I've received no correspondence from Supervalu despite having booked in the relevant period - maybe I was lucky?


  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    Spotted this 2009 article on Brian Honan's twitter: http://bestconnected.enterprise-ireland.com/case-study-loyaltybuild/
    Loyaltybuild: PCI compliance

    Earlier this year, Loyaltybuild achieved Payment Card Industry compliance – a standard created by the main credit card vendors worldwide to help e-merchants ensure high levels of security and protection over customer financial details.

    The standard covers everything from having antivirus software and intrusion protection systems installed, to secure practices around applications and best practice around documentation and operational procedures.

    “It’s an exhaustive and stringent standard, but one worth achieving,” says Egan. “It was a major undertaking but it brings huge benefits in terms of trust from your customers, who know that you have a certain standard of security protecting their credit card information. It also improves the general security around the company because it touches on so many different areas.”

    Loyaltybuild has made substantial investments in IT solutions, but there are more improvements in the pipeline. The company is looking at the possibility of migrating its websites to a new platform (from ColdFusion to RIA) to improve end-user experience, increase modularity and enable the in-house development team to add a greater variety of features going forward.
    How the hell were they compliant when everything was unencrypted and they were storing CVV's?


  • Registered Users, Registered Users 2 Posts: 780 ✭✭✭padraig.od


    I'd *guess* the main datastore was secured but some other code, like an app logger was not? Any basic audit would have found the encryption lacking inbthe datastore


  • Moderators, Business & Finance Moderators, Science, Health & Environment Moderators, Society & Culture Moderators Posts: 51,690 Mod ✭✭✭✭Stheno


    Blowfish wrote: »
    Spotted this 2009 article on Brian Honan's twitter: http://bestconnected.enterprise-ireland.com/case-study-loyaltybuild/

    How the hell were they compliant when everything was unencrypted and they were storing CVV's?

    They will now potentially incur huge charges for processing credit cards, and end up out of business.

    Shockingly sloppy on their part.

    How also did it take the best part of 18 months to find the breach and how can they know it ended Jan. 2012?


  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    If anyone's interested, we interviewed Brian Honan about the breach earlier today: http://technology.ie/loyaltybuild-brian-honan-explains-security-issues-audio/


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 910 ✭✭✭rick_fantastic


    While storing of sensitive authentication data has always been a big NO-NO, the stringency and depth of the PCI-DSS audit since 2009 has increased massively.

    The council will be asking serious questions of their auditors now and rightly so..

    Did LoyaltyBuild manage to retain their compliance status in subsequent years?

    I can well imagine this was a case that the main CC DB store was encrypted and logdbs were where the SAD was taken from


  • Registered Users, Registered Users 2 Posts: 576 ✭✭✭ifah


    Blacknight wrote: »
    If anyone's interested, we interviewed Brian Honan about the breach earlier today: http://technology.ie/loyaltybuild-brian-honan-explains-security-issues-audio/

    Good interview - thanks Conn.


    On a separate note - does anyone know who does the Breach Investigations on behalf of the Data Protection Commissioners ? Is it in-house staff or external ?


  • Registered Users, Registered Users 2 Posts: 7,265 ✭✭✭RangeR


    padraig.od wrote: »
    I'd *guess* the main datastore was secured but some other code, like an app logger was not? Any basic audit would have found the encryption lacking inbthe datastore

    PCI doesn't allow logging of CC details in the "app log" only a reference. Usually the last 4 digits. Maybe the first 4 too.


  • Registered Users, Registered Users 2 Posts: 1,509 ✭✭✭ElNino


    Why were they storing the card numbers in the first place? Surely the majority of their transactions were once off (e.g. people booking a holiday) and not repetitive transactions.


  • Moderators, Business & Finance Moderators, Science, Health & Environment Moderators, Society & Culture Moderators Posts: 51,690 Mod ✭✭✭✭Stheno


    Blacknight wrote: »
    If anyone's interested, we interviewed Brian Honan about the breach earlier today: http://technology.ie/loyaltybuild-brian-honan-explains-security-issues-audio/

    Good interview, thanks :)
    ifah wrote: »


    On a separate note - does anyone know who does the Breach Investigations on behalf of the Data Protection Commissioners ? Is it in-house staff or external ?

    They have some internal staff, but bring in external consultants if they need to iirc


  • Registered Users, Registered Users 2 Posts: 434 ✭✭TheBoffin


    Why were they storing the card numbers in the first place?

    Exactly the most worrying part of it is card details being stored from transactions that have already taken place and have been charged/reconciled with the acquiring banks. Surely once its charged for, that's the end of the matter, business done, delete card info.


  • Registered Users, Registered Users 2 Posts: 2,021 ✭✭✭ChRoMe


    TheBoffin wrote: »
    Exactly the most worrying part of it is card details being stored from transactions that have already taken place and have been charged/reconciled with the acquiring banks. Surely once its charged for, that's the end of the matter, business done, delete card info.

    Thats not the business they are in, its a loyalty company where they attribute points/bonuses to the cards so its perfectly legit that they store the card data.


  • Registered Users, Registered Users 2 Posts: 434 ✭✭TheBoffin


    Thats not the business they are in, its a loyalty company where they attribute points/bonuses to the cards so its perfectly legit that they store the card data.

    Im not talking about Loyalty Cards silly, I am talking about credit cards


  • Registered Users, Registered Users 2 Posts: 2,021 ✭✭✭ChRoMe


    TheBoffin wrote: »
    Im not talking about Loyalty Cards silly, I am talking about credit cards

    I misread I thought loyaltybuild distributed branded credit/debit cards


  • Registered Users, Registered Users 2 Posts: 910 ✭✭✭rick_fantastic


    They were last PCI audited in November 2012

    AFFINION INTERNATIONAL
    Internet / MOTO payment processing Loyalty Programmes Records Management
    November 2012
    Trustwave
    http://www.AffinionInternational.com

    So technically compliant status... I would not like to be the auditor in Trustwave who signed off on that....


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 7,265 ✭✭✭RangeR


    Not as sophisticated as they were making out. Yesterday and this morning, media reporting on a very sophisticated hacking.

    Data was unencrypted, claims Irish data protection commish
    According to the results of a preliminary investigation by the Office of the Data Protection Commissioner (ODPC), credit card and – contrary to all payment storage rules - CVV details were held unencrypted on Loyaltybuild's systems in the run-up to attacks in the middle of October.

    CVV - Card Verification Value - numbers are the three-digit security code found on the back of a credit or debit card, used to prove that a customer making an online purchase has physical possession of the card. They are an important anti-fraud measure.


  • Closed Accounts Posts: 5,857 ✭✭✭professore


    Blowfish wrote: »
    Spotted this 2009 article on Brian Honan's twitter: http://bestconnected.enterprise-ireland.com/case-study-loyaltybuild/

    How the hell were they compliant when everything was unencrypted and they were storing CVV's?

    A client of mine that ironically was working with me on a project with Loyaltybuild, looked into getting PCI compliance for my part of the project, he was quoted 50 grand. I say ironic, since I wouldn't store credit cards period, ever. PCI compliance: another scam to make money for consultants.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    RangeR wrote: »
    Data was unencrypted, claims Irish data protection commish

    Muppets.


  • Registered Users, Registered Users 2 Posts: 2,021 ✭✭✭ChRoMe


    professore wrote: »
    A client of mine that ironically was working with me on a project with Loyaltybuild, looked into getting PCI compliance for my part of the project, he was quoted 50 grand. I say ironic, since I wouldn't store credit cards period, ever. PCI compliance: another scam to make money for consultants.

    Consider actual PCI compliance would have negated the fallout of this attack, its not a scam.

    Getting true PCI compliance means some heavy duty security, as it should be.


  • Registered Users, Registered Users 2 Posts: 36,488 ✭✭✭✭Hotblack Desiato


    They were last PCI audited in November 2012

    AFFINION INTERNATIONAL
    Internet / MOTO payment processing Loyalty Programmes Records Management
    November 2012
    Trustwave
    http://www.AffinionInternational.com

    So technically compliant status... I would not like to be the auditor in Trustwave who signed off on that....

    This is maddening, it's the finance industry/banks all over again. All had 'audits' that weren't worth the paper they were printed on.

    DigiNotar got f**ked out of business for incompetence and breach of trust, Trustwave have got plenty of explainin' to do.

    In Cavan there was a great fire / Judge McCarthy was sent to inquire / It would be a shame / If the nuns were to blame / So it had to be caused by a wire.



  • Registered Users, Registered Users 2 Posts: 1,509 ✭✭✭ElNino


    This article might give some hints as to why LoyaltyBuild retained credit and debit card numbers
    http://www.irishexaminer.com/ireland/loyaltybuild-owners-pay-out-30m-in-us-249580.html


  • Registered Users, Registered Users 2 Posts: 434 ✭✭TheBoffin


    This article might give some hints as to why LoyaltyBuild retained credit and debit card numbers
    http://www.irishexaminer.com/ireland...us-249580.html

    Refunds or not, they should not be storing card details after the transaction completes. If refunds were to be made then they should have been made by cheque.

    The only time ANY payment card details should be stored is if a card payment authority is set up for one or more transactions and the customer is notified about it.


  • Registered Users, Registered Users 2 Posts: 36,488 ✭✭✭✭Hotblack Desiato


    It gets worse.

    http://www.irishtimes.com/news/consumer/customers-of-eight-more-firms-have-personal-data-stolen-1.1595359
    Customers of a further eight companies including Clerys, Centra, Postbank and Pigsback have had their personal information stolen in the data breach at Co Clare-based company Loyaltybuild.

    Credit card information of customers of Clerys’ loyalty travel scheme as well as personal details including names, addresses, phone numbers and email addresses are now know to have been stolen in the cyber attack. Non-financial information of customers of Centra, vouchers website PigsBack, Postbank Ireland and a small Ennis orthodontics company called TOG were also compromised.

    Credit card details of Stena Line customers in Northern Ireland have also been compromised as have a small number of credit card details and the personal data of customers of Northern Unislim.

    Loyaltybuild said last night that it had ceased taking bookings on its website and over the phone, effectively shutting down its operation.

    ‘Give customers confidence’

    “We have done this to enable our external data experts to complete their investigation into the attack and to put into place the necessary protections and certifications to give our customers the highest degree of confidence when booking with us in the future,” the company’s general manager Peter Steenstrup said.

    They still think their pathetic company has a future?

    In Cavan there was a great fire / Judge McCarthy was sent to inquire / It would be a shame / If the nuns were to blame / So it had to be caused by a wire.



  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    ninja900 wrote: »
    They still think their pathetic company has a future?

    I'm sure they're screwed. I can't see anyone recovering from something like this but I'm also sure that management should and will try very hard to keep peoples jobs.


  • Advertisement
Advertisement