Stop & Shop PIN Pads Breached; Connecticut Removes Worker Data From Site
An increasing number of companies are learning about proper customer data protection the hard way.
Identity fraud concerns in both the private and public sectors are creeping their way down the East Coast, as the state of Connecticut and the Quincy, Mass.-based Stop & Shop supermarket chain within the past few days have acknowledged breaches to sensitive employee and customer data, respectively. Such breaches have become an all-too-familiar occurrence recently--led by the large cybertheft of customer information from TJX--as more organizations every week learn about proper customer data protection the hard way.
In Connecticut, names and Social Security numbers of more than 1,700 state employees were posted to the state Administrative Services Department's Web site because of a glitch in the system that characterized those employees as state vendors. Employees were notified last week of the problem after a state worker in January found his name on the site. The state employee information was erroneously loaded into a spreadsheet listing vendors who work with the state, a spokesman for the state comptroller's office said Tuesday. The information was removed from the site in January, and the state has taken measures to remove metadata from the Web that would allow this employee information to be found via a search engine, he added.
In the private sector, Stop & Shop on Feb. 17 revealed that it had discovered some tampering with checkout lane electronic funds transfer units--the PIN pad that customers often use to make purchases--at two Rhode Island stores that may have led to the theft of credit and debit card account as well as PIN information. It's a case eerily reminiscent, although on a lesser scale, of the recent hack into Framingham, Mass.-based TJX's systems. TJX, whose properties include 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods stores, was victim to a hacker who accessed the company's computer systems that process and store information related to customer transactions at its stores in the United States and Puerto Rico, as well as for some stores in Canada, and potentially Ireland. The stolen information may include credit and debit card sales transaction data from 2003 as well as data from mid-May through Dec. 2, 2006.
Stop & Shop performed an inventory and inspection of EFT units in all of its stores in response to the discovery of the EFT unit tampering. The company subsequently discovered evidence of payment device tampering at three other Rhode Island locations and one store in Massachusetts, but it hasn't received reports of any fraudulent transactions at those locations.
Stop & Shop said in a statement that the tampering took place in early February and that the company is working with local police departments and the U.S. Secret Service to determine the extent of the crime. "We also have contacted our credit and debit processors and business partners in order to identify and protect affected customer accounts," the statement says.
Although employee involvement is sometimes suspected when EFT units are tampered with, Stop & Shop noted in its public statement that its investigation "has not uncovered any involvement or suspected involvement of any Stop & Shop personnel in the tampering."
In an additional statement that's also become all too familiar in recent years, the supermarket chain recommends that customers who used electronic payment cards in its Rhode Island stores and its Seekonk, Mass., store carefully monitor their bank or credit card statements, and that they contact the applicable bank or credit card issuer immediately in the event of any fraudulent transactions.
The numerous examples of breached customer data indicate the inherent lack of security in retail systems, but they also highlight the better awareness of security policy by employees. While Stop & Shop EFT units are in close proximity to store cashiers and heavily populated checkout lines, they were still compromised. And, in the case of Connecticut, employee data was posted inadvertently but may have been exposed since as far back as October 2003. A data security audit would have discovered this error long before the employee brought this to the state's attention.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.