Vermont ski area reports Hannaford-like theft of payment card data
Okemo says card info was stolen as cards were swiped, as in breach at grocery chain
Computerworld - In a security breach that sounds similar to the one disclosed by Hannaford Bros. Co. last month, the Okemo Mountain Resort ski area in Vermont announced this week that data from more than 46,000 credit and debit card transactions may have been compromised during a system intrusion over a 16-day period in February.
Okemo said in a security advisory released on Monday that the breach may have affected customers who used their payment cards at the resort in Ludlow, Vt., between Feb. 7 and Feb. 22, the time frame when the intrusion took place. The intruder or intruders may also have accessed data from card transactions processed between January and March 2006, according to the advisory.
Bonnie MacPherson, a spokeswoman for Okemo, said today that at least some of the data appears to have been stolen as the recent payment card transactions were being authorized. "We can tell you that this was a real-time theft," McPherson said. "The information was being taken as the cards were being swiped."
If that is actually the case, it could make the breach at Okemo a close cousin to the much larger one announced by Hannaford on March 17. In the Hannaford breach, malware installed on servers in each of the Scarborough, Maine-based company's grocery stores intercepted card data as the information was being transmitted from point-of-sale systems to authorize transactions.
Hannaford said in a letter sent to Massachusetts officials last week that up to 4.2 million credit and debit card numbers, as well as the expiration dates of the affected cards, were stolen by the malware program and then sent in batches to a server hosted by a foreign ISP. The grocer added that the discovery of the mass malware installation prompted a wholesale replacement of its store servers, plus other unspecified steps aimed at ensuring "that no versions of the malware remain anywhere on the company's systems."
And Hannaford and Okemo may not be the only businesses disclosing breaches involving payment card data in transit between systems. According to McPherson, law enforcement authorities who are investigating the breach at Okemo told resort officials that they currently are looking into about 50 reported incidents of the same sort in the Northeast alone.
McPherson said the system intrusion was discovered in late February but declined to comment on how the resort learned of it, citing the ongoing investigation. She added that Okemo has taken steps to close the breach and prevent further intrusions, but again didn't disclose any specific details.
In addition to notifying law enforcement officials, Okemo has informed Visa, MasterCard and American Express of the breach. But the resort doesn't have sufficient information on hand in its systems to directly contact all of the individuals who might have been affected, McPherson said. Resort officials have been told, she said, that customers will be contacted directly by the banks that issued their credit and debit cards.
Okemo doesn't know for sure how many cardholders were affected. But in its advisory, the resort said that data from up to 28,168 card transactions processed in February may have been compromised. Okemo noted that the number of customers potentially affected may be smaller than that number because some cards might have been used for multiple transactions. In addition, data on 18,401 individual credit cards used at Okemo from in early 2006 may have been accessed during the intrusion, the resort said.
According to Okemo, a computer forensics review by an outside security consultant found no evidence of any security breaches on the systems at the Mount Sunapee ski area in New Hampshire or the Crested Butte Mountain Resort in Colorado. All three ski areas are owned by the same company.
After Hannaford disclosed its breach, some analysts said it was the first time that attackers had swiped payment card data while the information was in transit on such a large scale. Most of the card data compromises reported thus far have involved information stored in databases on systems or in storage devices. But with companies putting more effective controls around stored data, attackers may be shifting their attention to data in transit.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts