We learned this week that the upscale retailer Neiman Marcus suffered basically the same security breach as the one that affected Target during the height of the holiday shopping season. Malware installed on its networks infected its point-of-sale system; the malicious code collected payment card data, including PINs, for 1.1 million customers.
While Neiman Marcus and Target—whose security lapse left credit card data for 70 million of its customers in the hands of cybercriminals—have been in the news, they’re not the only ones who've had their digital pockets picked. According to researchers at IntelCrawler, an online intelligence-gathering service that helps firms spot cyberthreats, chatter on forums where cybercriminals ply their trade has revealed that as many as six other retailers have also had their systems—and their customers’ information—compromised. IntelCrawler is not naming names, but says it is providing technical information related to the breaches to the appropriate authorities.
NSA Phone Snooping Illegal and Ineffective, Says Review Board
The U.S. government’s Privacy and Civil Liberties Oversight Board released a 238-page report [pdf] this week calling the National Security Agency’s collection of metadata related to U.S. residents’ phone calls illegal and recommending that the practice be ended. The panel concluded that the program not only “lacks a viable legal foundation under Section 215 [of the U.S. Patriot Act]” but has also been largely ineffective.
“We are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack,” said the board’s members. “And we believe that in only one instance over the past seven years has the program arguably contributed to the identification of an unknown terrorism suspect.”
Fill-Up Fraudsters Nabbed
A team of fraudsters who installed Bluetooth-enabled skimmers on the credit card readers at refueling stations across Texas, Georgia, and South Carolina were indicted this week. The thirteen defendants allegedly stole more than US $2 million from customers who filled their tanks at Raceway and RaceTrac stations between March 2012 and March 2013. Because the skimmers communicated via Bluetooth, the thieves could surreptitiously download the data without ever rousing suspicion. According to the criminal complaint, the gang used the stolen credit card information to produce phony cards that they subsequently used to withdraw cash and spread it across 70 different accounts in an effort to launder the money.
In Other Cybercrime News…
- Security Researcher Breaks Snapchat's New Security Feature in Less Time Than It Takes to Have a Pizza Delivered
- Syrian Electronic Army Hacks Microsoft's Office Blogs Site
- Google to Award $2.7 million in Prizes at This Year’s Pwnium Hackfest
- Facebook Pays $33 500 Bounty to Brazilian Security Researcher for Spotting OpenID Vulnerability
Image: Getty Images
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.