Whopper of a Breach

Credit card breaches are becoming alarmingly common. Since 2009, several high-profile companies have had their consumers’ credit card information compromised.

In January 2009, Heartland Payment Systems disclosed that hackers had gained access to computers used to process 100 million payment card transactions each month for 175,000 merchants.

More than a year later, Twin America, the parent company of CitySights NY, disclosed that an estimated 100,000 customers’ personal details, including credit card numbers, were stolen.

Those numbers appear mild compared to the credit card breach at Sony earlier this year that analysts estimate ranged from $1.5 billion to $24 billion. The company’s PlayStation Network, consisting of 77 million user-created accounts, was compromised. Analysts believe this will result in $300 million in card replacement costs. And more recently, Citigroup released details of a May 2011 attack that breached 360,083 accounts.

For the most part, consumers are protected and credit card companies are in no danger of going bankrupt: The brunt of chargebacks and fines hit the merchants.

For the store owners, these breaches are a nightmare. Tracy Amarosa, co-owner of Burger King franchisee Liberty Restaurant Group, remembers the call from the Department of Homeland Security. The government set up cameras in one of her restaurants, she said, believing it might have been a part of a larger breach.

“They found nothing, so they left, and told me I was a part of something else,” Amarosa said in a webinar sponsored by Omega ATC, a PCI compliance and data security firm.

Shortly thereafter, Liberty received a call from a credit card processor and was informed that the same store was encountering hundreds of breaches. Amarosa needed to hire a forensic specialist to determine the source of the breaches — and the card processor began fining Liberty $5,000 a month until the breaches stopped. Around that same time, another Liberty restaurant was breached and the company was notified that Visa, American Express and Discover would begin assessing fines.

In an effort to fix the problem, Liberty replaced the registers in all of their restaurants.

“We assumed our restaurants were safe from this because we were told that the registers were PCI-compliant,” Amarosa said. Indeed, the registers were compliant, but it was the wireless Internet that was causing the problems — and the company used the same password for all registers system-wide.

Before the rash of breaches, “PCI-compliant was just a word to us,” Amarosa said. “We really didn’t have knowledge of it. We make Whoppers for a living.

“We try to treat our customers great [and] we try to protect our employees,” she said. “We didn’t know anything about this computer glitch. … There were days of no sleep. There was this incredible amount of money lost. We were jeopardizing Burger King corporation. We were jeopardizing Liberty Restaurants as a whole, because the customers see us as the bad guy no matter what.”

In the end, Liberty Restaurants paid $200,000 in fines and is now compliant. And it has partnered with Omega ATC to constantly keep track of its credit card information through a built-in logging and alerting system.

Preventing breaches
Despite the high-profile breaches of late, PCI-compliant organizations have suffered fewer or no data breaches between 2009 and 2010, according to a Ponemon Institute report.

But Shekar Swamy, president of Omega ATC, said today’s retail environments are not data secure.

“Breaches don’t happen overnight,” he said. “It takes many months for these breaches to even be discovered and a back door to retail locations is often wide open. People can penetrate from the outside or the inside and no one even suspects that there is anything wrong within their environment.”

Swamy said it’s paramount that stores execute continuous and proper verification of point-of-sales systems, firewalls and back office and remote connections.

Hackers are able to gain easy access into systems because many retailers use the same password and have default systems. Swamy said systems are vulnerable when they are not segmented in a network, which reduces the risk from a breach.

Retailers are also vulnerable if there is a lack of wireless intrusion detection, or if there is a lack of consolidated reporting, missing and outdated security patches and unsecured storage of magnetic stripe data.

Swamy said cyber thieves are very organized and sophisticated, and are extremely patient in terms of how and when they use the data that they gather from these breaches. Many are sitting outside in parking lots and hacking into systems, he said, while employees are also increasingly stealing information from retail customers.

“The bad guys are more sophisticated than any retailer,” he said. “All you can do is make sure that you slow them down and protect your entire environment.”