Digital Transactions Authoritative, insightful and timely information for payments professionals
By Jim Daly
@DTPaymentNews
The number of data breaches tracked by the Identity Theft Resource Center in 2017 hit 698 as of May 30, a 35.3% increase over the record pace of a year ago when the ITRC flagged 516 breaches in 2016’s first five months.
The San Diego-based nonprofit monitors breaches affecting virtually every type of organization—including businesses, financial institutions, government, health-care providers, and schools—and data records with personal information, including credit and debit card accounts, Social Security numbers, and medical files. The ITRC says the nearly 700 breaches may have compromised 10.2 million records. Since most breach reports don’t list the number of records exposed, however, the total probably is far higher.
Some 80, or 11.3%, of 2017’s breaches have compromised payment card records, Karen A. Barney, the ITRC’s director of research and publications, tells Digital Transactions News by email. The card records compromised add up to 364,611, or 3.6%, of the total.
Major known breaches this year affecting payment cards involve restaurant chains, including one at Arby’s that might have compromised up to 355,000 cards, and another at Chipotle, for which the number of cards exposed has not been disclosed. Another breach may have compromised an unknown number of cards used at car washes nationwide that use a point-of-sale system from DRB Systems LLC that was infected by malware.
In fact, only one-third of the breaches tracked by the ITRC include a publicly available number on the records compromised, Barney says. The organization gathers its breach data from reports filed by breached entities to state governments, media reports, and other sources, and many contain only partial information.
Fraudsters are hitting companies and organizations with increasingly sophisticated phishing emails that induce the recipient to open them, upon which the email often plants malware on the recipient’s computer system. Or, in highly targeted “spear-phishing” attacks, what appears to be a legitimate email to a lower-level employee from a higher-up executive in the same company asks the employee for sensitive information or to arrange a wire transfer to a fraudulent recipient.
“This has been a very big year for the spear-phishing breaches, which are really targeting employee and tax information,” says Barney.
The newest data-breach target appears to be discount-store chain Kmart, where malware compromised an undisclosed number of payment cards, Kmart parent company Sears Holdings Corp. reported this week.
“Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls,” Hoffman Estates, Ill.-based Sears said in a statement. “Once aware of the new malicious code, we quickly removed it and contained the event.”
The breach was first reported by the KrebsOnSecurity news site, which said bankers noticed a pattern of fraud on their customers’ cards that had been used at Kmart, but not at all of its locations. The new breach follows another one at Kmart in 2014, Krebs reported.
