 |
|
New Things from Abacus 21
Frequently Asked Questions
Testimonials
Partners
to Abacus 21's
Product Announcements
 The following are examples of Credit Card (and other sensitive information) breaches of security that make a case for doing something about PCI-Compliance... which Abacus 21 (through its PCI-compliant use of Shift4) has incorporated into its electronic funds transaction processing: Okemo Announces It Has Been Recent Target of Security Breach - Okemo Mountain Resort today announced that it has been a recent target of criminal efforts to gain access to credit data by infiltration of its computer network at Okemo Mountain Ski Area. Okemo believes the intruder gained potential access to credit card data including cardholder names, account numbers and expiration dates. An expert in data security and forensics hired by Okemo to assist in the investigation and response to the incident has informed Okemo that its computer system was improperly accessed by an outside party for a 16 day period between February 7, 2008 and February 22, 2008. Affected consumers potentially include those who used their credit cards at Okemo during such dates as well as those who did so from January through March of 2006. The exact number of cardholders affected is unknown at this time. The forensic review determined that the intruder may have accessed credit card data from up to 28,168 credit card transactions processed at Okemo during the 16 day period in February. The actual number of credit cards holders involved in the transactions is likely to be smaller because multiple transactions may have been processed on a single card. In addition, there may have been access to 18,401 individual credit cards used at Okemo from January through March 2006, many of which are believed to have expired. The forensic expert determined that there was no evidence of any security breach to the computer systems at Mount Sunapee or Crested Butte. Upon discovery of this intrusion, Okemo promptly initiated security measures to block the infiltration and protect any personal information transmitted through its system from any further unauthorized access. Okemo has provided notice to Visa, MasterCard and American Express and is cooperating fully with the credit card companies to notify potentially affected cardholders. Okemo does not have sufficient information to directly contact cardholders. Okemo has been informed that the banks, which issued the credit cards, will be provided with information necessary to notify their cardholders. Okemo has also notified law enforcement and is providing notice to State Attorneys General and appropriate regulatory agencies. Okemo will continue to carefully monitor the security of its systems moving forward. Okemo has been advised by Federal law enforcement officials that the matter is currently under investigation. Okemo recommends that all cardholders carefully review their credit card statements and credit reports and remain alert for any unauthorized or suspicious activity. Further, Okemo recommends that cardholders consider monitoring free credit reports that are available through the three major credit agencies, the contact information for which is listed below. Okemo will provide updates on this incident on its website: www.okemo.com. For further information or assistance, cardholders are encouraged to call the following Toll Free Number, 1-866-756-5366. Okemo can also be contacted at Okemo Mountain Resort, 77 Okemo Ridge Road, Ludlow, VT 05149. Listed below is the contact information for the major credit reporting agencies and the Federal Trade Commission. Individuals may obtain information from these sources about steps they can take to obtain free credit reports and place a fraud alert or security freeze on their credit report and file. Hannaford Reveals Theft Details, Plans to Spend Millions on Military-Level Security - BREAKING NEWS (4/22/08): In an invitation-only conference call this morning, Hannaford Bros. CEO Ron Hodge and CIO Bill Homa reveal new facts about the recent theft of 4.7 million customer credit and debit card files from the grocery chain's data base. They also outline steps taken before and after the criminal intrusion, including details about future initiatives that will ensure a military-level of security and cost millions of dollars to ensure deterrence, protection and detection. The recent criminal intrusion was one of the biggest challenges we have ever faced in the 100-plus year history of Hannaford Bros. said Hodge. We have spent significant resources in coming to understand the complexities of this crime. We have begun working with General Dynamics, IBM and Cisco to ensure a military-level of security. And we also want to apologize to our customers for intrusion. We will take bold steps to prevent future intrusions and want to thank customers for their loyalty and support in the past few weeks. We intend to do whatever it takes to be a leader in security and to protect customer data. CIO Bill Homa, a recognized leader in retail technology and member of the RIS Editorial Advisory Board, revealed that the intrusion was contained in March and personal customer information was compromised. It was limited to debit and credit card numbers and expiration dates, and it did not include PIN numbers. We do not keep identifiable customer information. Both Hodge and Homa emphasized they could not fully address the scope of the intrusion due to ongoing criminal and forensic investigations. Their emphasis was on conveying an overview of security efforts and an understanding of future plans. We were an early adopter of the PCI standard system and certified as being compliant in February 2007 and February 2008, said Homa. In fact, we are committed to exceeding PCI compliance standards and are not limiting ourselves to just meeting them. IT security is a continual process. Hannaford will focus on three main areas in its future security plan: deterrence, protection and detection. To accomplish these goals, Hannaford has implemented a 24/7 hosted intrusion protection system with IBM to help manage the complex task of separating false positives from real threats. We don't have enough eyes and hands to investigate all the false-positive intrusions we detect and so have begun working with IBM to help us and report back to us the ones that are real threats, said Homa. Other areas where Hannaford is devoting IT resources include: highest possible level of PIN encryption, highest possible protection against malware being installed on systems and a host-intrusion prevention system to be installed on the POS controller. In some cases, reports Homa, retailers have to wait until hardware and software vendors release next-generation products that comply with updated security standards. As soon as these new products are available, Hannaford will install them, even though we may be replacing perfectly good scanner guns, for example, with new guns that are more secure. According to Homa, the cost for replacing hardware will run into the millions of dollars and the cost for host-intrusion protection will be $5,000 per store. With 165 stores in the Hannaford chain, the cost for adding new software alone will be nearly a million dollars. Adding upgraded hardware will double that figure. And then there are the costs associated with restructuring business processes, adding internal controls and hiring external auditors to certify compliance. Multiply this figure by the rest of the retail industry and it is easy to project a cost in the billions of dollars to deal with the plague of criminal intrusions. Contact Information for Credit Reporting Agencies and the Federal Trade Commission - Equifax Experian TransUnion The Federal Trade Commission |
All material ©2020 Abacus 21, Inc. All Rights Reserved.