![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Goodwill hack lasted 18 months
Sep. 18th, 2014 11:08 amApparently a number of Goodwill stores all had their credit card processing done by one company, and that was the infiltration point. The vendor claims that only 25 cards have been used fraudulently since the compromise, a number that I'm frankly dubious of. But there are a couple of things to remember, and that is that Goodwill purchasers are not always high-value people, so it's quite possible that when word got out at how low of credit limit the cards typically were, they just gave up on the batch. Still, I find the number dubious.
The article points out a very big hole in the reporting laws of lots of states, this is a very good explanation of the problem. To quote from the Krebs article:
The magnetic stripe on a credit or debit card contains several areas, or “tracks,” where cardholder information is stored: “Track 1″ includes the cardholder’s name, account number and other data. “Track 2,” contains the cardholder’s account, encrypted PIN and other information, but it does not include the account holder’s name.cconsulting.com
Most U.S. states have data breach laws requiring businesses that experience a breach involving the personal and financial information of their citizens to notify those individuals in a timely fashion. However, few of those notification requirements are triggered unless the data that is lost or stolen includes the consumer’s name (see my reporting on the 2012 breach at Global Payments, e.g.).
This is important because a great many of the underground stores that sell stolen credit and debit data only sell Track 2 data. Translation: If the thieves are only stealing Track 2 data, a breached business may not have an obligation under existing state data breach disclosure laws to notify consumers about a security incident that resulted in the theft of their card data.
And in the case of the Goodwill breech, only track 2 info was being sold.
http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months/
The article points out a very big hole in the reporting laws of lots of states, this is a very good explanation of the problem. To quote from the Krebs article:
The magnetic stripe on a credit or debit card contains several areas, or “tracks,” where cardholder information is stored: “Track 1″ includes the cardholder’s name, account number and other data. “Track 2,” contains the cardholder’s account, encrypted PIN and other information, but it does not include the account holder’s name.cconsulting.com
Most U.S. states have data breach laws requiring businesses that experience a breach involving the personal and financial information of their citizens to notify those individuals in a timely fashion. However, few of those notification requirements are triggered unless the data that is lost or stolen includes the consumer’s name (see my reporting on the 2012 breach at Global Payments, e.g.).
This is important because a great many of the underground stores that sell stolen credit and debit data only sell Track 2 data. Translation: If the thieves are only stealing Track 2 data, a breached business may not have an obligation under existing state data breach disclosure laws to notify consumers about a security incident that resulted in the theft of their card data.
And in the case of the Goodwill breech, only track 2 info was being sold.
http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months/
