Archive for September, 2014

New Data Breach Threatens Albertsons Customers

Top Features


CBSLA iPhone App
For iPhone and Android
textalerts180 New Data Breach Threatens Albertsons Customers

CBSLA Text Alerts
Back To School: Features, News  PhotosFollow Us On Twitter

LOS ANGELES (AP) — Card data of Albertsons shoppers may be at risk in another hack.

The company said that in late August or early September, malicious software was installed on networks that process credit and debit card transactions at some of their stores.

Albertsons said the malware may have captured data including account numbers, card expiration dates and the names of cardholders at stores in more than a dozen states.

The breach could affect Albertsons stores in California, Idaho, Montana, Nevada, North Dakota, Oregon, Utah, Washington and Wyoming.

Supervalu, a grocery chain also hit by the breach, sold Albertsons to Cerberus Capital Management in 2013, but it still provides information technology services for those stores.

A data breach also occurred in August, but officials said the two incidents are separate.

Albertons said Monday that they are still investigating that incident and don’t know if cardholder data was taken.

The latest breach follows big hacks that affected millions of customers at Home Depot, Target and other retailers over the past year.

(© Copyright 2014 The Associated Press. All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed.)

Article source: http://losangeles.cbslocal.com/2014/09/30/new-data-breach-threatens-albertsons-customers/

,

No Comments

Possible data breach at ACME stores in Pa, NJ, Del.

Card data of ACME shoppers may be at risk after another hack, the supermarket’s owner said.

Albertsons, which owns ACME Markets, and Supervalu made the announcement Monday.

The breach could affect ACME Markets stores in Delaware, Maryland, New Jersey and Pennsylvania.

The company said that in late August or early September, malicious software was installed on networks that process credit and debit card transactions at some of their stores.

“Based on the information we currently know, it is not believed that any customer data was stolen. However, out of an abundance of caution, if you used your credit or debit card in a potentially affected store between June 22, 2014 and July 17, 2014 or between August 27, 2014 and September 21, 2014, you should monitor your credit and debit card account and promptly contact the bank that issued your payment card if you see suspicious activity. Stores in the following states were potentially affected: Delaware, Maryland, New Jersey, and Pennsylvania,” ACME said in a FAQ statement on their website.

According to ACME, the possible stolen data includes names, account numbers, expiration dates or other numerical information.

“Importantly, sensitive information (like Social security numbers, birthdates or driver’s license information), and other personal information were not affected, because that information is not collected as part of the payment process,” the store said.

ACME says they will provide complimentary identity protection to affected customers for one year.

“This coverage includes automatic protection with AllClear Secure for the next 12 months – there is no action required on your part to receive or enroll in this service. If a problem arises, simply call 1-855-865-4449,” ACME said.

Along with ACME Markets, the breach could affect Albertsons stores in California, Idaho, Montana, Nevada, North Dakota, Oregon, Utah, Washington and Wyoming; Jewel-Osco stores in Illinois, Indiana and Iowa; and Shaw’s and Star Markets stores in Maine, Massachusetts, New Hampshire, Rhode Island and Vermont. The Boise, Idaho-based company has a total of 1,081 stores.

Supervalu Inc. said it believes the malware was only able to capture card data from some checkout lanes at four Cub Foods locations in Minnesota because it had not finished making security improvements at those stores. The company thinks it has gotten rid of the malware.

The malware was also installed on a network that processes card transactions at Shop ‘n Save and Shoppers Food Pharmacy stores as well as some stand-alone liquor stores, but the company, which has 3,320 stores, thinks the malware did not capture payment card data from any stores except possibly for the four in Minnesota.

Supervalu sold the Albertsons, Acme, Jewel-Osco, Shaw’s and Star Market chains to Cerberus Capital Management in 2013, but it still provides information technology services for those stores.

The companies also disclosed a data breach in August. They said the two incidents are separate. Supervalu said that incident may have affected as many as 200 grocery and liquor stores. It said hackers accessed a network that processes Supervalu transactions, with account numbers, expiration dates, card holder names and other information.

That breach occurred between June 22 and July 17, and Supervalu said it immediately began working to secure that portion of its network. The companies said Monday that they are still investigating that incident and don’t know if cardholder data was taken.

The latest breach follows big hacks that affected millions of customers at Home Depot, Target and other retailers over the past year.

ONLINE: ACME Markets FAQ

Article source: http://6abc.com/shopping/possible-data-breach-at-acme-stores-in-pa-nj-del/329670/

,

No Comments

Jewel-Osco Parent Company Announces New Data Breach

Lastest News Headlines:

Police Generic Person In Custody After Carpentersville Woman Stabbed To DeathFAA fire suspect Brian Howard (FACEBOOK/April Howard Connor) Brian Howard Was High Before Setting Radar Center Fire, Sources SayThe Ty Warner Penthouse. (Credit: Four Seasons) Most Expensive Hotel Suite: $45,000 A Night Ty Warner PenthouseGavel, Court, Generic Sized Image No Bond For Man Charged With Killing Girlfriend, 7-Year-Old DaughterThe Chicago River flows into the North Shore Channel on Thursday. The Metropolitan Water Reclamation District lowered the level of the river and other waterways it can control, to allow more room for runoff from rain and melting snow. (Credit: CBS) Biologists Find Spotted Gar For First Time In Chicago Area WaterwaysPresident Obama boards Air Force One at O'Hare in 2011. (Credit:  JIM WATSON/AFP/Getty Images) Obama To Land At Gary Airport, Not O’Hare, For Chicago VisitPatricia Horton. (Credit: Chicago Police) Ex-Metropolitan Water Commissioner Patricia Horton Charged With Assaulting Man At Daley CenterU.S. Senator Dick Durbin (Left) and State Senator Jim Oberweis (Right) (Credit: CBS) Oberweis Opens South Side Campaign Office

(CBS) — The operating company for Jewel-Osco supermarkets announced Monday that it has been notified of an attempt to steal customers’ data from the stores.

In a statement on its website, AB Acquisition LLC, which operates Jewel-Osco stores among other grocery chains, says its IT provider informed them of a criminal attempt to steal customers’ credit and debit card information. Jewel-Osco stores in Illinois were among those affected.

The company says this attempt is separate from a previous apparent data theft incident that was announced on Aug. 14, saying that different malaware was used.

“We take our responsibility to protect our customers’ payment card data seriously,” said Bob Miller, Chief Executive Officer at AB Acquisition LLC. “We sincerely regret that our customers’ data was targeted. As a company, our decisions are always focused on what is best for our customers, and we know this issue has inconvenienced them and caused concern. We are taking appropriate measures to enhance the protection of our customers’ payment card data. We are working closely with all parties on the investigation into this incident.”

It has not yet been determined if customers’ account numbers, expiration date, and other information were in fact stolen as a result of the breach.

Article source: http://chicago.cbslocal.com/2014/09/29/jewel-osco-parent-company-announces-new-data-breach/

,

No Comments

Possible ACME Data Breach In Tri-State Area

By Syma Chowdhry and Tim Jimenez

PHILADELPHIA (CBS) — The parent company of ACME Markets has announced a new data breach. Hackers may have gained access to shoppers’ credit and debit card information in 21 states, including Pennsylvania, New Jersey, and Delaware.

If you’ve shopped at ACME from late August to early September, you may want to monitor your credit and debit cards for suspicious activity.

ACME’s parent company, Albertsons LLC, says malicious software was found on networks that processed credit and debit cards in the store.

The company says law enforcement was immediately contacted when the software was detected.

It’s not clear if any customer information was actually stolen.

“It’s more of an inconvenience than anything else,” said Jordan Maria, an Acme shopper in South Philadelphia. “But, sometimes, if it ends up as money being stolen, that’s not a good situation for anybody.”

“We take our responsibility to protect our customers’ payment card data seriously,” said Bob Miller, CEO at AB Acquisition, in a statement about the data breach. “We sincerely regret that our customers’ data was targeted… We are taking appropriate measures to enhance the protection of our customers’ payment card data.”

A statement on Albertson’s website quotes Mark Bates, Senior Vice President and CIO at AB Acquisition LLC. “As soon as we were notified of the incident, we began working closely with SUPERVALU to determine what happened. It’s important to note that there is no evidence at this point that consumer data has been misused,” Bates said. “We understand the inconvenience and concern an incident like this can cause, and we deeply regret that our customers’ data was targeted. “

The company says they will provide complimentary identity protection to affected customers for one year, but as of now it’s not known how many customers, if any, were affected by this possible data breach.

Must Read Today’s Top Stories

Article source: http://philadelphia.cbslocal.com/2014/09/29/another-card-system-hack-at-supervalu-albertsons/

,

No Comments

OpenVPN Vulnerable to Shellshock Bash Vulnerability

OpenVPN wasn’t immune to the Heartbleed vulnerability in OpenSSL, and it’s not going to sidestep Shellshock either.

Fredrick Stromberg, cofounder of Mullvad, a Swedish VPN company, reported that OpenVPN servers are vulnerable to Shellshock , the vulnerability in Bash plaguing Linux, UNIX and Mac OS X systems.

Stromberg said the attack vector in OpenVPN is particularly dangerous because it’s pre-authentication, putting all communication through a supposedly secure tunnel at risk.

“OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session. Many of these commands are called with environmental variables set, some of which can be controlled by the client,” Stromberg wrote in a post to Hacker News. “One option used for username+password authentication is ‘auth-user-pass-verify.’ If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username.”

Gert Doering, speaking on behalf of the OpenVPN open source community version, said that OpenVPN is vulnerable only on systems where /bin/sh points to /bin/bash, or if a script that runs using bash as an interpreter is called explicity.

“What you want to do from OpenVPN’s point of view is to ensure that you’re not using a 2.2.x version anymore, *and* that you just do not run your scripts using bash (“#!/bin/bash”) but use a shell that is better suited to script usage, like ash/dash,” Doering said. “Also, always use client certificates, as the username verification script that is the attack vector here is only called after successful verification of a client cert. And, of course, update your systems in a timely fashion.”

Stromberg said the discovery was disclosed to OpenVPN last week.

“Given how many users could potentially be affected we reasoned that maximum utility would be achieved by giving VPN providers a heads up before warning everyone,” Stromberg wrote. “If you were affected but not informed I apologize.”

OpenVPN is an open source virtual private network software package. Request for comment on the availability of a fix or workarounds went unanswered prior to publication. Stromberg also discovered that OpenVPN was vulnerable to Heartbleed and that researchers were able to chain together several exploits in order to steal private keys.

Since the vulnerability in Bash (Bourne Again Shell) was disclosed last Wednesday, news has been fluid. There are now six distinct vulnerabilities that have been discovered, one as severe as the initial Bash flaw, but all merit watching. A number of patches have been produced, including two within the first 12 hours of discovery last week, and others from major vendors including Apple last night.

The vulnerability allows an attacker to take advantage of a vulnerability in the way Bash executes code attached to an environment variable. Google engineer Michal Zalewski, a prolific bug-hunter, urged administrators to apply a patch built by Red Hat engineer Florian Weimer or an upstream version adopted by Bash project engineer Chet Ramey, who pushed out Bash43-027.

“This patch changes the encoding bash uses for exported functions to avoid clashes with shell variables and to avoid depending only on an environment variable’s contents to determine whether or not to interpret it as a shell function,” Ramey wrote in the patch advisory.

Zalewski wrote on his blog that he had discovered two new issues in Bash, one a remotely exploitable parsing issue that is exacerbated, he said, because Bash is not usually compiled with ASLR. The other vulnerability, the most severe so far, he said, permits remote code execution on systems that have been patched against the original vulnerability.

“It’s a ‘put your commands here’ type of a bug similar to the original report,” Zalewski wrote.

To date, a number of exploits have been reported, most of those just scanning the Internet looking for servers running vulnerable versions of Bash. One Perl bot discovered by AlienVault Labs opens a backdoor to a remote command and control server where more commands await. Experts speculate those exploits are trying to recruit bots to carry out DDoS attacks. Other exploits report system configuration data to a remote server or try to drop a remote shell on compromised machines.

Article source: http://threatpost.com/openvpn-vulnerable-to-shellshock-bash-vulnerability/108616

No Comments

Google Ups Chrome Bug Bounty, Offers More Money For Exploits

how_i_hacked

Home Hacking Made Simple

David Jacoby looked at all of the Web-enabled devices in his house–TV, game console, network storage device–and found a handful of exploitable bugs in them.

Read more…

Article source: http://threatpost.com/google-ups-chrome-bug-bounty-offers-more-money-for-exploits/108620

No Comments

Review: Student loan data breach not criminal

0) { %

0) { %

0) { %

Article source: http://www.kare11.com/story/news/local/2014/09/29/review-student-loan-data-breach-not-criminal/16458227/

,

No Comments

Another data breach… Yeah, yeah, whatever

yawning

It seems like data breaches are seldom out of the news these days, but whilst that means we’re more likely to be aware of their existence it also means there’s a risk that individual threats begin to fade into the general day-to-day techy chatter and we don’t give them the attention they deserve.

The growing number of breaches — up 10 percent over last year according to a recent study by the Ponemon institute — means they’re less likely to catch our attention. Security training firm KnowBe4 refers to this phenomenon as “breach fatigue” and warns that it may be placing companies at risk.

“The increasing volume of customers affected by these data breaches may be causing a complacency that creates even more risk,” says Stu Sjouwerman, CEO of KnowBe4. “For most companies, it is not a matter of if, but when, followed by a free year of credit monitoring. For users, the constant barrage of breach news can cloud their awareness of cyber-threats as it all becomes background noise”.

The company warns that a careless attitude on the part of individuals can carry over to the business environment. This in turn leads to more risk of being hacked, phished or socially engineered into giving away company information.

Michael Bruemmer, vice president of the credit information company Experian’s data breach resolution group which sponsored the Ponemon study, says that 80 percent of the breaches his group works with, “had a root cause in employee negligence.” He goes on to say, “It could be from someone giving out their password, someone being spear-phished, it could be a lost USB, it could be somebody mishandling files, it could be leaving the door to the network operations center open so someone can walk in”.

You can find out more about how KnowBe4’s security awareness training can help employees stay alert to the risks on the company’s website. It’s also offering a free whitepaper charting the rise of ransomware.

Photo Credit: Suzanne Tucker/Shutterstock

Article source: http://betanews.com/2014/09/30/another-data-breach-yeah-yeah-whatever/

,

No Comments

Data Breach Bulletin: Supervalu, Jimmy John’s, Shellshock, American Family Care

Here’s a roundup of this week’s data breaches:

Supervalu Supervalu – Remember the huge grocery store breach in mid-August that hit 180 Supervalu grocery stores and 836 grocery stores owned by AB Acquisitions? Now, more than a month after that breach was announced, Supervalu has announced that four of its stores were impacted in a separate breach that began in late August. So far, the investigation has revealed that this second breach affected four Cub Food stores in Minnesota. These four stores had not finished installing the “enhanced protective technology,” which Supervalu credits with protecting the rest of their stores and limiting the scope of the attack. The investigation is still ongoing, and investigators have not yet determined if credit card information was stolen.

Jimmy John’s – On September 24, Jimmy John’s confirmed that 216 store locations were impacted in a data breach, almost two months after the sandwich retailer began an investigation on July 30, 2014.  A hacker allegedly login credentials from Jimmy John’s point-of-sale system, Signature Systems Inc., leading to a breach that lasted from June 16 to September 5, 2014. Only cards swiped at stores were affected, while online transactions remained safe. In addition to Jimmy John’s, Signature Systems reported that nearly 100 other restaurants that use Signature Systems may have been affected by the breach, according to Brian Krebs.

Shellshock – First there was Heartbleed; now, we have Shellshock. Security experts are saying that a vulnerability called Shellshock—which was discovered last week by Akamai security researcher Stephane Chazelas—is a bigger deal than Heartbleed. The vulnerability has existed for years in Bash, an application that runs on the Linux and Unix platforms and is widespread across the Internet. While Heartbleed allowed hackers to view sensitive data, Shellshock lets attackers control a system through “arbitrary code execution.” Apple Apple released a patch for Shellshock on Monday as Mac OS X shares Linux code, and other Linux distributors have also rolled out patches. The full extent of the vulnerability is not yet known, and consumers should install any updates as soon as they are available.

American Family Care – Fewer than 2,500 patients at American Family Care were told that their personal information was at risk after a two unencrypted, password-protected computers were stolen from an employee’s vehicle in July, according to SC Magazine. The laptops may have contained all kinds of personal information belonging to these patients, including Social Security number, names, addresses, dates of birth, phone numbers, medical record numbers, medical information, insurance information, driver’s licenses. These computers were not used in direct patient care. Because of this incident, American Family Care is now requiring encryption on work computers and is reviewing its policies.

Owensboro Medical Group – Insider threat results in hospital data breaches all too often. But we don’t often hear about groups of employees accessing personal patient information and then leaving the hospital together to start a business selling the data. That’s what happened at Kentucky-based Owensboro Medical Group, where 3,000 patients’ data was stolen. Lawsuits are expected, according to local 14 News, and the medical group has sent letters to affected customers.

Sheplers – Cowboy boot shoppers, take note. A Western apparel store based in Frisco, Texas, announced that it was hit with a data breach between June 11 and September 4. Sheplers—which has stores in Arizona, Colorado, Florida, New Mexico, Oklahoma, Texas, and Missouri—does not believe online shoppers have been impacted in the breach, and the retailer says it’s now safe to use cards at Sheplers stores in all locations.  Sheplers says it discovered the breach after an informal tip from a financial institution.

Follow me on Twitter at @kate_vinton.

Article source: http://www.forbes.com/sites/katevinton/2014/09/30/data-breach-bulletin-supervalu-jimmy-johns-shellshock-american-family-care/

,

No Comments

Acme Markets faces possible data breach



Acme

The owner of Acme Supermarkets is investigating a possible data breach.









Jeff Blumenthal
Reporter- Philadelphia Business Journal

Email
 | 
Twitter
 | 
Google+
 | 
LinkedIn

Officials are investigating a possible data breach at Acme Markets, its owner said Monday.

Albertsons, owner of Acme Markets, and its third-party IT service provider, Supervalu, said the breach could affect Acme Markets in Pennsylvania, New Jersey, Delaware and Maryland as well as supermarkets it owns and operates in several other states.

In late August or early September, malicious software was installed on networks that process credit and debit card transactions at some of their stores, the companies said.

Albertsons said the malware may have captured data including account numbers, card expiration dates and the names of cardholders at stores in more than a dozen states.

Acme said in an update on its website that based on the information it currently has, it does not believe any customer data was stolen. But it urges customers that used debit or credit cards in its stores between June 22 and July 17 or between August 27 and September 21 to monitor their accounts and contact their bank immediately if they detect suspicious activity.

Jeff Blumenthal covers banking, insurance and law.



Article source: http://www.bizjournals.com/philadelphia/morning_roundup/2014/09/possible-data-breach-at-acme-markets.html

,

No Comments