Data breach at Saks Fifth Avenue sees 5m payment card numbers stolen

3 Apr 2018

Saks Fifth Avenue in Manhattan. Image: Northfoto/Shutterstock

A well-known cyber-criminal ring steals millions of card details with software implanted into cash registers.

In the past week, LGBTQ dating app Grindr received major criticism for its handling of private user health data, and the company has since agreed to stop sharing HIV status details with third-party firms.

Meanwhile, Apple CEO Tim Cook and Facebook CEO Mark Zuckerberg continue to throw barbs at one another in the wake of the Cambridge Analytica scandal, with the latter branding previous remarks made by Cook as “extremely glib”.

Future Human

Athletics brand Under Armour was also in the crosshairs of privacy advocates as subsidiary MyFitnessPal became the victim of a data breach. The health and fitness monitoring app’s user details were stolen, including email addresses and hashed passwords. While no government data was taken, email addresses are still useful for cybercrime groups.

Another week, another round of enterprise news.

A luxury data breach

Personal data of customers shopping at department stores Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor has been compromised following a data breach.

Last week, a hacking group called JokerStash claimed it placed the credit and debit card information of 5m customers up for sale. According to cybersecurity firm Gemini Advisory, the criminals were siphoning information since May 2017.

The information appears to have been stolen with software implanted into the cash register systems at the stores themselves, stealing data up until April 2018. Phishing emails sent to store employees are likely the culprit.

James Lerud, head of cybersecurity firm Verodin’s behavioural research unit, told that consumer vigilance is key. “Consumers should take an active role to protect themselves. Keep an eye on statements and look for fraudulent charges. Sometimes it can be hard to remember what a charge is, especially if the name of the transaction is unfamiliar.”

SEC arrests founders of $32m Centra virtual currency project

It continues to be a tumultuous year for the cryptocurrency world as we face into the second quarter of 2018.

Co-founders of digital currency Centra, Sam Sharma and Robert Farakas, were arrested on 1 April, a day before the US SEC released a complaint against the men and announced that the project would be halted.

Centra raised $32m in an ICO during the summer of 2017 and said investors would access a new digital currency exchange and a virtual currency debit card, which would operate on the Visa and Mastercard networks. The SEC said the company never got the approval of the payment card firms and misled investors, going as far as inventing fictitious executives.

Centra had been endorsed by boxer Floyd Mayweather and music producer DJ Khaled.

Boeing hit by WannaCry – it hasn’t gone away

According to The Seattle Times, Boeing was hit by a WannaCry attack on 28 March, triggering widespread worry within the company and among customers before eventually dying down that evening.

Head of communications for Boeing Commercial Airplanes, Linda Mills, said: “The vulnerability was limited to a few machines. We deployed software patches. There was no interruption to the 777 jet program or any of our programs.”

This followed a previous memo from chief engineer Mike VanderWel calling for “all hands on deck”. This is hardly the return of WannaCry, although it never did disappear entirely.

Is your VPN leaking your IP address?

Security researcher Paolo Stagno, who goes by the pseudonym VoidSec, found that approximately 20pc of today’s VPN solutions leak the user’s IP address via a WebRTC bug known since January 2015.

WebRTC is a free, open project that provides browsers with real-time communications via simple APIs – fundamental building blocks for video and voice chats among others.

Stagno found that 17 VPN clients out of 83 he tested were leaking the user’s IP address via a browser.

Are college students hopping on the cryptocurrency bandwagon?

According to cybersecurity firm Vectra’s 2018 Attacker Behaviour Industry Report, cryptocurrency mining is a mounting problem.

Considered opportunistic, mining surged with the rising price of cryptocurrencies such as bitcoin, Monero and Ethereum. Of all the cryptocurrency mining detections, 85pc occurred in higher education. Free electrical power and internet access for students might account for the spike in higher education.

Chris Morales, head of security analytics at Vectra, told “Students who mine cryptocurrency are simply being opportunistic as the value of cryptocurrencies surged over the past year, with the value of bitcoin peaking at $19,000 in January 2018. Even at the current value, it remains a lucrative temptation for both attackers and students with free electricity they can convert into monetary value.”

Saks Fifth Avenue in Manhattan. Image: Northfoto/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects