The Green Sheet Online Edition
January 26, 2015 • Issue 15:01:02
Data breaches across America
An unprecedented number of high profile data breaches occurred at U.S. retailers in 2014. Equally troubling were breaches that received little media attention, yet dramatically impacted those targeted, forcing many of them out of business. Following is a compilation of 2014 data breaches. For more information visit the Privacy Rights Clearinghouse website at www.privacyrights.org.
High profile 2014 data breaches:
Dec. 9, 2014 – Charge Anywhere, South Plainfield, N.J.
Charge Anywhere notified individuals that an unauthorized person(s) installed "sophisticated malware" that permitted hackers to "capture segments of outbound network traffic" on transactions completed Aug. 17 to Sept. 24, 2014, and possibly dating back to Nov. 5, 2009.
Dec. 5, 2014 – Bebe Stores Inc., Brisbane, Calif.
The women's clothier notified customers of a POS systems breach that occurred Nov. 8 to Nov. 26, 2014, that allowed hackers to obtain credit card information. A forensics investigation was launched to determine the extent of the breach. Possibly more than 200 stores were affected.
Oct. 20, 2014 – Staples Inc., Framingham, Mass.
An investigation conducted on behalf of Staples revealed nearly 1.2 million customer payment cards at 115 Staples stores may have been accessed by hackers using malware that allowed access to cardholder names, payment card numbers, expiration dates and card verification codes.
Oct. 10, 2014 – Sears Holdings Corp./K-Mart Holding Corp., Hoffman Estates, Ill.
A breach that occurred at K-Mart stores starting in Sept. 2014 apparently used malicious software to target POS systems, compromising cardholder information. K-Mart removed the malware from its systems and is working with investigators to assess the extent of the breach.
Sept. 29 and Aug. 15, 2014 – Albertsons LLC (AB Acquisitions LLC), Spokane, Wash.
In two separate incidents, AB Acquisitions LLC discovered malware was used to capture cardholder data at various store locations. The first breach occurred from June 22 to July 17, 2014. The second breach impacted stores from Aug. 27 to Sept. 21, 2014.
Sept. 2, 2014 – The Home Depot U.S.A. Inc., Atlanta, Ga.
After launching a multistate investigation, Home Depot confirmed that POS systems at 2,200 of its stores across the United States and Canada were compromised, potentially affecting as many as 56 million cardholders.
Aug. 27, 2014 – Dairy Queen Corp., Edina, Minn.
An unknown number of POS systems at the chain's 6,300 locations forced several affected stores to accept cash only until authorities investigated further. "Backoff" malware was later detected, the same malware attributed to the Target and Supervalu data breaches.
Aug. 20, 2014 – The UPS Store Inc., Atlanta, Ga.
Malware was discovered on UPS systems that impacted 51 franchise store locations in 24 states. According to UPS, both credit and debit card transaction information was compromised from Jan. 20 to Aug. 11, 2014. The company said it has since removed the malware from its system.
Aug. 15, 2014 – Supervalu Inc., Eden Prairie, Minn.
Supervalu, which operates 3,763 corporate and franchise stores, reported a system attack that compromised credit card data on POS systems used at an unknown number of stores from June 22 to July 17, 2014. The breach is under investigation.
July 14, 2014 – Goodwill Industries International Inc., Rockville, Md.
Upon detecting fraudulent credit card activity, a forensics investigation revealed a third-party vendor's systems had been compromised by malware, allowing fraudsters access to customer card data intermittently from Feb. 10, 2013, to Aug. 14, 2014. This affected 330 stores in 20 states.
June 11, 2014 – P.F. Chang's China Bistro Inc., Scottsdale, Ariz.
After credit card data surfaced on an underground website, the restaurant chain confirmed a breach to its POS system had occurred. An investigation revealed customer credit and debit cards at 33 restaurant locations were affected by the breach.
March 5, 2014 – Sally Beauty Supply LLC, Denton, Texas
Invesigators determined hackers gained access to the beauty supplier's network to steal credit card data from stores. An investigation found the breach impacted fewer than 25,000 records containing track 2 payment card data.
March 4, 2014 – The J.M. Smucker Co., Orrville, Ohio
Smucker's Online Store was penetrated by a cyber attack that compromised cardholder data using sophisticated malware to obtain form data submitted by visitors during the checkout process.
Jan. 10, 2014 – Neiman Marcus, Dallas, Texas
Neiman Marcus confirmed its database of customer information was hacked. The breach, which may have dated back as far as July 2013, was fully contained on Jan. 12, 2014, the store said. Approximately 1.1 million cardholders were affected.
Low profile 2014 data breaches:
Dec. 11, 2014 – ABM Parking Services, St. Louis, Mo.
A POS system implemented by third-party vendor Datapark USA Inc. at several Chicago area ABM parking facilities was hacked, compromising the cardholder data of customers who paid for parking services at those locations.
Oct. 14, 2014 – Cyberswim.com (A&H Sportswear Co.), Pen Argyl, Penn.
The online swimwear retailer confirmed unauthorized individual(s) installed malware on the server hosting its website, allowing fraudsters access to customer data for purchases made from May 12 to Aug. 28, 2014.
Sept. 10, 2014 – Bartell Hotels, San Diego, Calif.
The San Diego hotel group revealed that as many as 55,000 hotel visitors may have been victims of a credit card data breach that exposed cardholder data from Feb. 16 to May 13, 2014.
Sept. 9, 2014 – Beef O'Brady's, North Point, Fla.
The Florida-based restaurant chain identified a POS systems breach that compromised transactions from vendors in Texas, New York, Massachusetts and at least four Florida restaurants. The company is working with local law enforcement to investigate the breach.
The Houstonian Hotel, Club & Spa, Houston, Texas
After being notified by the Secret Service of a potential breach to its system, Houstonian launched a forensics investigation and discovered that from December 2013 to June 2014, an unauthorized party gained access to cardholder data on its POS system.
June 26, 2014 – Splash Car Wash (Splash Management Group), Greenwich, Conn.
Approximately 30,000 customers were notified after malware was detected on POS systems at several of the car wash chain's 13 locations in the northeastern United States.
March 18, 2014 – Hickory Grove Gas Station, Vincent, Ohio
As many as 300 cardholders were impacted by an attack that infiltrated the gas station's network.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.