Stop & Shop PIN Pads Breached; Connecticut Removes Worker Data From Site - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Stop & Shop PIN Pads Breached; Connecticut Removes Worker Data From Site

An increasing number of companies are learning about proper customer data protection the hard way.

Identity fraud concerns in both the private and public sectors are creeping their way down the East Coast, as the state of Connecticut and the Quincy, Mass.-based Stop & Shop supermarket chain within the past few days have acknowledged breaches to sensitive employee and customer data, respectively. Such breaches have become an all-too-familiar occurrence recently--led by the large cybertheft of customer information from TJX--as more organizations every week learn about proper customer data protection the hard way.

In Connecticut, names and Social Security numbers of more than 1,700 state employees were posted to the state Administrative Services Department's Web site because of a glitch in the system that characterized those employees as state vendors. Employees were notified last week of the problem after a state worker in January found his name on the site. The state employee information was erroneously loaded into a spreadsheet listing vendors who work with the state, a spokesman for the state comptroller's office said Tuesday. The information was removed from the site in January, and the state has taken measures to remove metadata from the Web that would allow this employee information to be found via a search engine, he added.

The Constitution State's data woes follow several high-profile public-sector data blunders, including several lost and stolen Veterans Affairs Department laptops and the discovery more than a year ago of the Justice Department's failure to scrub Web documents of sensitive data.

In the private sector, Stop & Shop on Feb. 17 revealed that it had discovered some tampering with checkout lane electronic funds transfer units--the PIN pad that customers often use to make purchases--at two Rhode Island stores that may have led to the theft of credit and debit card account as well as PIN information. It's a case eerily reminiscent, although on a lesser scale, of the recent hack into Framingham, Mass.-based TJX's systems. TJX, whose properties include 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods stores, was victim to a hacker who accessed the company's computer systems that process and store information related to customer transactions at its stores in the United States and Puerto Rico, as well as for some stores in Canada, and potentially Ireland. The stolen information may include credit and debit card sales transaction data from 2003 as well as data from mid-May through Dec. 2, 2006.

Stop & Shop performed an inventory and inspection of EFT units in all of its stores in response to the discovery of the EFT unit tampering. The company subsequently discovered evidence of payment device tampering at three other Rhode Island locations and one store in Massachusetts, but it hasn't received reports of any fraudulent transactions at those locations.

Stop & Shop said in a statement that the tampering took place in early February and that the company is working with local police departments and the U.S. Secret Service to determine the extent of the crime. "We also have contacted our credit and debit processors and business partners in order to identify and protect affected customer accounts," the statement says.

Although employee involvement is sometimes suspected when EFT units are tampered with, Stop & Shop noted in its public statement that its investigation "has not uncovered any involvement or suspected involvement of any Stop & Shop personnel in the tampering."

In an additional statement that's also become all too familiar in recent years, the supermarket chain recommends that customers who used electronic payment cards in its Rhode Island stores and its Seekonk, Mass., store carefully monitor their bank or credit card statements, and that they contact the applicable bank or credit card issuer immediately in the event of any fraudulent transactions.

The numerous examples of breached customer data indicate the inherent lack of security in retail systems, but they also highlight the better awareness of security policy by employees. While Stop & Shop EFT units are in close proximity to store cashiers and heavily populated checkout lines, they were still compromised. And, in the case of Connecticut, employee data was posted inadvertently but may have been exposed since as far back as October 2003. A data security audit would have discovered this error long before the employee brought this to the state's attention.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll