#CyberFLASH: Hacking fears close photo websites

TXMCA204-120_2014_152032_highCostco Canada has joined Walmart Canada and two major U.S. drug store chains in shuttering their online photo websites in the wake of a possible data breach at the supplier.

The retailers say their photo sites remain shut down as a precaution. All four sites are administered by Vancouver-based PNI Digital Media, which is owned by Staples Inc.

Customers of Costco Canada would not be affected by the potential breach as the photo site doesn’t accept credit card payments, the retailer said in a statement on its website.

However, Costco said it has suspended access to its online photo sites both in Canada and the U.S. as a temporary precaution.

“This decision does not affect any other Costco website or our in-store operations, including in-store photo centres,” the statement says.

Rite Aid Corp., a U.S. drug store chain, said it has taken down its photo site even though its customer credit card information isn’t processed by PNI. CVS Corp., another U.S. drug store retailer, has also taken its photo website offline

Late last week, Staples acknowledged that PNI was investigating a potential credit card data security issue, but has declined to say how many companies or customers could be affected.

“We take the protection of information very seriously,” Staples said in an email response to The Toronto Star on Monday. “PNI is investigating a potential credit card data issue, and outside security experts are assisting in the investigation. If an issue is discovered, it is important to note that consumers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”

Read more here

#CyberFLASH: Home Depot facing lawsuits in Canada, U.S. over data breach

Close up of wooden gavel at the computer keyboardHome Depot faces at least 44 lawsuits in the United States and Canada over a massive data breach earlier this year that affected 56 million debit and credit cards.

The nation’s biggest home improvement retailer said Tuesday in a regulatory filing that several state and federal agencies also are looking into the data breach and it may face more litigation from customers, banks, shareholders and others.

Home Depot said the litigation and the investigations may distract management and affect how it runs its business. It also could lead to additional costs and fines. But those expenses aren’t clear yet because the cases are in early stages, the company said in a quarterly filing with the Securities and Exchange Commission.

The company said earlier this month after announcing third-quarter earnings that it anticipates a fourth-quarter breach-related expense of about $27-million, but only about $6-million after insurance.

Home Depot has a $100-million insurance policy for breach-related expenses. That comes with a $7.5-million deductible.

Read more here

#CyberFLASH: Home Depot eliminates malware that affected 56 million credit cards


TORONTO – Home Depot said Thursday that 56 million payment cards used at its American and Canadian stores between April and September were compromised by a type of criminal software that hadn’t previously been seen in other attacks.

The Atlanta-based home improvement retailer said any terminal with the malware has been taken out of service and that it completed introducing new encrypted terminals in all of its U.S. stores on Sept. 13, less than two weeks after the attack was discovered.

Home Depot says it will complete installing new encrypted terminals at its Canadian stores early next year but added they are already equipped to handle credit cards with embedded chips and personal identification numbers.

The company continues to say there is no evidence that debit card personal identification numbers have been compromised or that online shoppers were affected at homedepot.ca or homedepot.com.

Read more here

#CyberFLASH: UPDATE – Canadian cards from Home Depot attack appear to be for sale online


Canadian credit and debit cards compromised in a recent hacker attack on Home Depot appear to be available for sale online.

Security researcher Brian Krebs, who first reported the attack last week, said on Tuesday that the stolen data, which can be used to make fake cards, is available for sale online. Cards issued by all of the big five Canadian banks — RBC, TD, CIBC, BMO and Scotiabank — are listed on at least one website selling hacked credit card information.

American Express cards and cards issued by a number of smaller banks and credit unions are also on the list.

Home Depot said on Tuesday that Canadian credit and debit cards could have been compromised in the attack, which targeted customer information at the company’s stores in Canada and the U.S.

People who have used credit or debit cards at Home Depot stores in Canada since April 2014 may have had their card information stolen, a company spokesperson said.

Read more here

#CyberFLASH: Home Depot says data breach may have affected Canada


The Home Depot Inc. confirmed Monday that its payment data systems have been breached, potentially affecting customers who used cards at U.S. and Canadian stores, dating as far back as April.

“While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised,” according to a company press release.

“Home Depot’s investigation is focused on April forward, and the company has taken aggressive steps to address the malware and protect customer data.”

The company said there is no evidence that the breach has affected stores in Mexico or customers who shopped online at HomeDepot.com.

The company is offering free identity protection services, including credit card monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on.

Read more here

#CyberFLASH: Mounties charge Quebec teen for hacking Bell customer data, posting it online


The Mounties have charged a young offender in Quebec after the user names, passwords and credit-card information from some of Bell Canada’s small-business customers were posted online.

The RCMP say they started investigating after one of Bell’s third-party IT suppliers was cyberhacked.

As a result of the hacking, investigators say, 22,421 user names and passwords and five valid credit-card numbers were displayed for anyone to see on the Internet.

A young offender, who cannot be identified because of his age, was arrested at a Bagotville, Que., residence early Friday and charged with one count of unauthorized use of a computer and two counts of mischief in relation to data.

Police said the accused is believed to be a member of a hacktivist group NullCrew, alleged to be responsible for hacking into computers of businesses, schools and government agencies.

Read more here

#CyberFLASH: NullCrew attack on Bell Canada was SQL injection and Bell knew weeks ago


NullCrew has responded to Bell’s claim that it was a third-party supplier who got hacked by providing DataBreaches.net with more details about the hack and their conversations with Bell alerting them to the breach.

In an interview today, NullCrew revealed that they had access to Bell’s server for months, and had disclosed that to them in a chat with Bell Support weeks ago. A screenshot of the chat between NullCrew and Bell Support employee “Derek” shows that NullCrew was informing Bell that they were in possession of users’ information:

NullCrew states they actually gave them the vulnerable url and details, but got nowhere with them.

I informed them they didn’t have much time, and the world would soon see their failure…. Their response was exactly what you see in their article, bullshit. “Bell Internet is a secure service.” They did not even say they would look into it, they did not try and assess the exploit.. it was up, for two weeks. And only taken down after we released our data.

Read more here

#CyberFLASH: Hacker group posts usernames and passwords from more than 20,000 Bell customers

BCE Beats Profit Estimates as Smartphone Subscribers Gain

More than 20,000 small business customers of telecommunications giant Bell Canada were the victims of what the company is calling an “illegal hacking” incident that left their user names and passwords publicly exposed on the Internet during the weekend.

Observers say the latest hacking incident, which follows on the heels of a Yahoo breach last week, should send a message to businesses, governments, and individuals: Brace for more hacking of personal information as the amount of time spent online interacting — and transacting — increases.

Five valid credit card numbers were also posted online as a result of the latest hacking incident, which Bell says involved the information system of one of its third-party suppliers based in Ottawa.

Bell spokesman Paolo Pasquini said the 22,421 small business customers affected are based in Ontario and Quebec.

“There will certainly be a bunch of freaked-out businesses with this compromised data,” said Dan Kelly, president of the Canadian Federation of Independent Business, who called the weekend hacking incident “quite disturbing.”

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.