A leading payments industry news source for more than 17 years. Glenbrook curates the news and keeps you abreast of the important daily headlines in payments.

Search Payments News

February 8, 2022

On the web

Data Breaches Remain a Nettlesome Problem, Especially for U.S. Companies

Digital Transactions

“While the number of publicly disclosed data breaches totaled 4,145 globally in 2021, a 5% decline from 2020, the bulk of those breaches occurred in the United States. Disclosed data breaches in the U.S. totaled 2,953, or 71% of the global total, according to Risked Based Security Inc. The number of breaches in the U.S. were also up for the year, increasing 11% from the 2,645 breaches reported in 2020.”

August 16, 2021

On the web

T-Mobile Investigating Claim of Stolen Personal Data for Sale

CNET

“T-Mobile is looking into a post on a forum that claimed to be selling the personal data of more than 100 million people swiped from the mobile carrier’s servers. The data breach included information such as Social Security numbers, phone numbers, names, physical addresses and driver license information, according to Vice , which reported the security breach claim earlier on Sunday. The forum post doesn’t mention T-Mobile by name, but the seller told Vice’s Motherboard that the data came from T-Mobile servers.”

April 1, 2021

On the web

MobiKwik Investigating Data Breach After 100M User Records Found Online

TechCrunch

“MobiKwik said on Tuesday it was investigating claims of data breach after a website claimed to have exposed private information of nearly 100 million users of the Indian mobile payments startup . Over the weekend, a site on the dark web claimed it had 8.2 terabytes of MobiKwik user data. The data included phone numbers, email addresses, scrambled passwords, transactions logs and partial payment card numbers. The website also claimed that it had “know your customer” (KYC) documents (government-issued Aadhaar card or PAN ID) of 3.5 million users, and each visit to the website displayed four random images from the data dump.”

November 13, 2020

On the web

Ticketmaster fined £1.25m over payment data breach

BBC

“Ticketmaster UK has been fined £1.25m for failing to keep its customers’ personal data secure. The fine was issued by the Information Commissioner’s Office (ICO) following a cyber-attack on the Ticketmaster website in 2018. The ICO said personal information and payment details had potentially been stolen from more than nine million customers in Europe. Ticketmaster said it would appeal against the ruling. An investigation found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page.”

October 16, 2020

On the web

October 12, 2020

On the web

Uganda’s Banks Have Been Plunged Into Chaos by a Mobile Money Fraud Hack

Quartz (paywall)

“A major hack that compromised Uganda’s mobile money network has plunged the country’s telecoms and banking sectors into crisis. The Oct. 3 hack was a result of a security breach on a consumer finance aggregator, Pegasus Technologies, which mainly affected bank to mobile wallet transfers, according to an Oct. 8 statement by MTN Uganda, the country’s largest mobile phone company. Kampala-based Pegasus Technologies  provides financial and billing solutions for various companies including all the affected entities.”

August 6, 2020

On the web

Banking Regulator Fines Capital One $80 Million Over 2019 Hack

Wall Street Journal (paywall)

“A top banking regulator has fined Capital One Financial Corp. $80 million over a 2019 hack that compromised the personal information of about 106 million card customers and applicants. The Office of the Comptroller of the Currency said the bank failed “to establish effective risk assessment processes“ before transferring information-technology operations to the public cloud and “to correct the deficiencies in a timely manner.””

July 27, 2020

On the web

April 1, 2020

On the web

Marriott Discloses New Data Breach Impacting 5.2 Million Hotel Guests | ZDNet

ZDNet

“Hotel chain Marriott disclosed today a security breach that impacted more than 5.2 million hotel guests who used the company’s loyalty app. According to a breach notification posted on its website , the hotel chain learned of the security breach at the end of February, when it discovered that a hacker had used the login credentials of two employees from one of its franchise properties to access customer information from the app’s backend systems.”

December 20, 2019

On the web

If You Stopped at a Wawa Mini Mart Recently, Your Payment Card Details May Have Been Snatched

The Verge

“Credit card and debit card numbers, expiration dates and customers’ names on the cards used at its in-store registers and gas pumps were among the data affected, the company says. The company’s announcement and FAQ doesn’t begin to suggest how the malware got there or who might have been trying to get customers’ payment information, but the company says it has a forensics firm investigating the breach and is working with authorities on a criminal investigation into the matter.”

December 12, 2019

On the web

Iran Banks Burned, Then Customer Accounts Were Exposed Online

The New York Times

“Iran has been engaged in a cycle of hack and counterhack in a cyberwar against the United States and Israel. Both sides have targeted each other’s financial and sensitive government institutions through cyberattacks for years. The banks affected — Mellat, Tejarat and Sarmayeh — had all been sanctioned more than a year ago by the United States Treasury, which accused them of having transferred money on behalf of blacklisted entities of Iran’s Islamic Revolutionary Guards Corps, part of the armed forces. The entire Revolutionary Guards organization was designated as a terrorist group by the Trump administration last April.”

November 20, 2019

On the web

October 21, 2019

On the web

Equifax Used ‘Admin’ As Username and Password for Sensitive Data: Lawsuit

yahoo

“Equifax ( EFX ) used the word “admin” as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia. The ongoing lawsuit, filed after the breach, went viral on Twitter Friday after Buzzfeed reporter Jane Lytvynenko came across the detail. “Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,’” the lawsuit reads.”

October 15, 2019

On the web

Data for a Whopping 26 Million Stolen Payment Cards Leaked in Hack of Fraud Bazaar

Ars Technica

“A thriving online bazaar selling stolen payment card data has been hacked in a heist that leaked the records for more than 26 million cards, KrebsOnSecurity reported on Tuesday. The 26 million figure isn’t significant only to the legitimate consumers and businesses who own the stolen cards or the financial institutions that issued them. Fortunately for the card owners, the database is now in the hands of affected financial institutions, who can invalidate and replace the cards.”

October 10, 2019

On the web

Hackers Breach Volusion and Start Collecting Card Details From Thousands of Sites | ZDNet

ZDNet

“Hackers have breached the infrastructure of Volusion, a provider of cloud-hosted online stores, and are delivering malicious code that records and steals payment card details entered by users in online forms. More than 6,500 stores are impacted, but the number could be even higher. In a press release published last month, Volusion claimed it had more than 20,000 customers.”

September 27, 2019

On the web

September 20, 2019

On the web

Payment Card Thieves Hack Click2Gov Bill Paying Portals in 8 Cities

Ars Technica

“In 2017 and 2018, hackers compromised systems running the Click2Gov self-service bill-payment portal in dozens of cities across the United States, a feat that compromised 300,000 payment cards and generated nearly $2 million of revenue. Now, Click2Gov systems have been hit by a second wave of attacks that’s dumping tens of thousands of records onto the Dark Web, researchers said on Thursday.”

August 23, 2019

On the web

Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards — Krebs on Security

Krebs on Security

“On Tuesday of this week, one of the more popular underground stores peddling credit and debit card data stolen from hacked merchants announced a blockbuster new sale: More than 5.3 million new accounts belonging to cardholders from 35 U.S. states. Multiple sources now tell KrebsOnSecurity that the card data came from compromised gas pumps, coffee shops and restaurants operated by Hy-Vee, an Iowa-based company that operates a chain of more than 245 supermarkets throughout the Midwestern United States.”

Mastercard Alerts Privacy Watchdogs After Loyalty Program Leak

Bloomberg

Mastercard Inc.’s European unit formally notified Belgian and German data-protection regulators of a data lapse concerning a loyalty program, officials said on Friday. The Belgian watchdog said in a statement on Friday that the card company alerted it to a “breach” detected on Aug. 19. It said the episode would have affected a “large number” of people and that “a significant portion” of them would be German customers.”

August 22, 2019

On the web

August 8, 2019

On the web

Instagram’s Lax Privacy Practices Let a Trusted Partner Track Millions of Users’ Physical Locations, Secretly Save Their Stories, and Flout Its Rules

Business Insider

“A combination of configuration errors and lax oversight by Instagram allowed one of the social network’s vetted advertising partners to misappropriate vast amounts of public user data and create detailed records of users’ physical whereabouts, personal bios, and photos that were intended to vanish after 24 hours. The profiles, which were scraped and stitched together by the San Francisco-based marketing firm Hyp3r, were a clear violation of Instagram’s rules. But it all occurred under Instagram’s nose for the past year by a firm that Instagram had blessed as one of its preferred “Facebook Marketing Partners.”

August 5, 2019

On the web

How the Accused Capital One Hacker Stole Reams of Data From the Cloud

Wall Street Journal (paywall)

“Ms. Thompson was allegedly able to find an opening in Capital One’s systems and exploit a weakness in some misconfigured networks, according to a Wall Street Journal analysis of hundreds of Ms. Thompson’s online messages and interviews with people familiar with the investigation. Security professionals for years have warned about that gap, which the messages and interviews suggest she used to trick a system in the cloud to uncover the sensitive credentials she needed to access the vast number of customer records.”

July 12, 2019

On the web

Japanese Exchange Bitpoint Hacked by $32 Million Worth in Cryptocurrencies

CoinDesk

“According to a CoinDesk Japan report on Friday, Bitpoint halted all services including trading, deposit and withdrawal of all crypto assets on Friday morning after it noticed irregular withdrawal from its hot wallet on Thursday. It is not yet clear at this stage which types of assets were lost, the exchange offered trading for five cryptocurrencies: bitcoin, bitcoin cash, ether, litecoin and XRP.”

July 8, 2019

On the web

British Airways Faces Record £183m Fine for Data Breach

BBC News

“The airline, owned by IAG, says it is “surprised and disappointed” by the penalty from the Information Commissioner’s Office (ICO). At the time, BA said hackers had carried out a “sophisticated, malicious criminal attack” on its website. The ICO said it was the biggest penalty it had handed out and the first to be made public under new rules.”

June 17, 2019

On the web

Nearly a Third of Retailers Say Online Sales Represent the Greatest Increase in Fraud at Their Companies

Digital Commerce 360

“Nearly 50% of retail loss prevention professionals are getting bigger budgets to help quell fraud, according to a report released by the National Retail Federation earlier this month. 44.5% of loss prevention professionals surveyed said their budgets for loss prevention efforts are increasing, and 68.2% say they’ll allocate additional resources to stop fraud, most of that in technology. About one in three (28.6%) surveyed professionals say they will add staff resources—and are looking for professionals with analytical, cybersecurity and investigative skills, the NRF says.”

June 10, 2019

On the web

Data Breaches Cost $654 Billion in 2018

Security Magazine

Data from ForgeRock found that cyberattacks to U.S. financial services organizations cost the industry more than $6.2 billion in Q1 2019 alone, up from just $8 million in Q1 2018. Even though investments in information security products and services have been on the rise, with $114 billion invested in 2018, cybercriminals continue to attack organizations across a wide spectrum of industries to gain access to valuable consumer data. According to the research, personally identifiable information (PII) was the most targeted data for breaches in 2018, comprising 97 percent of all breaches. By targeting PII, cybercriminals prove that they’re hungry for consumer data and the research also found the most frequent attack method was from unauthorized access, encompassing 34 percent of all attacks. Healthcare, financial services and government were the sectors most largely impacted by cyberattacks.”

June 5, 2019

On the web

7.7 Million LabCorp Records Stolen in Same Hack Affecting Quest Diagnostics

TechCrunch

“LabCorp is the latest laboratory testing giant this week to confirm it’s affected by the same third-party data breach. The Burlington, North Carolina-based medical giant said 7.7 million patients had their personal and financial data stolen by hackers, which hit the payment pages of the American Medical Collection Agency, a third-party vendor that processes payments for LabCorp and other companies. The admission comes a day after Quest Diagnostics around 11.9 million patients had their data stolen.”

May 30, 2019

On the web

Checkers/Rally’s Payment Card Breach in 19 States’ Stores

Mobile Payments Today

“Checkers Drive-In Restaurants is notifying guests about a data security issue involving malware at certain Checkers and Rally’s locations in 19 states, according to a news release. The brand said that after becoming aware of the issue, data security experts investigated and coordinated with federal law enforcement, while dispatching third-party security experts to contain and remove the malware, according to the release.”

May 13, 2019

On the web

Why Rewards for Loyal Spenders Are ‘a Honey Pot for Hackers’

The New York Times

“The punch cards stuffed in your wallet know next to nothing about you, except maybe how many frozen yogurts you still need to buy to get a free one. But loyalty programs, as they shift from paper and plastic to apps and websites, are increasingly tracking a currency that can be more valuable than how much you spend: personal data. As a result, the programs know things about you that some of your friends may not, like your favorite flavor (mango), when your cravings strike (early afternoon) and how you pay (with your Visa), in addition to billing details and contact information.”

April 10, 2019

On the web

A New Breed of ATM Hackers Gets in Through a Bank’s Network

WIRED

“These system architecture improvements, combined with tailored monitoring to flag and block more fraudulent fund transfers, have inspired scammers to innovate in kind. In an attack on India’s Cosmos bank last August, hackers stole $13.5 million by infecting the bank’s ATM server with malware that retrieved customer information and their assigned SWIFT codes. Then they used this data to initiate thousands of transfers, both within India and in multiple other countries, where money mules cashed out the malicious transactions.”

Payments News

Give us your email address or link to our RSS feed and we’ll push the daily Payments News headlines to you.

Glenbrook Payments Boot camp®

Register for the next Glenbrook Payments Boot Camp®

An intensive and comprehensive overview of the payments industry.

Train your Team

Customized, private Payments Boot Camps tailored to meet your team’s unique needs.

OnDemand Modules

Recorded, one-hour videos covering a broad array of payments concepts.

Glenbrook Press

Comprehensive books that detail the systems and innovations shaping the payments industry.