Sears and Delta Customer Data Breached

DooKey

DooKey

[H]F Junkie
Joined
Apr 25, 2001
Messages
13,554
Once again hackers have managed to hack big business and get customer data. This time it's Sears and Delta and they blame this breach on their software service provider. Less than 100K users at Sears had credit card information stolen and Delta says it was a small subset of their customer base. It appears the amount of customer data compromised in this latest breach is small, but it's getting more concerning all the time because of the increased frequency of breaches. I believe this is like the iceberg that struck the Titanic and we aren't seeing the true size of this problem.

Technology firm [ 24]7.ai, which provides online support services for Delta, Sears and Kmart among other companies, found that a cybersecurity incident affected online customer payment information of its clients, it said.
 
You know what would be nice? Aside from knowing about the breaches, it would be nice to know what the software infrastructure was being used at these sites being breached.
 
I think that it is safe to say that if you have ever connected online then you are compromised. Lets be realistic, every few days we hear about another big corp being hacked, how many sub companies are they involved with. The odds are in favor that if you have ever been online they you have been purposefully compromised. I'm not a big conspiracy theory guy but lets be honest, this data collection is far to wide spread to be just a simple group of hackers wanting to traffic your info, this is data collection coming from the highest levels of government and big business which is probably both and the same. Giving serious thought to selling my own info, at least I would get paid..lol but realistically if my info has been collected could I at least get a copy so I can keep track of my own records and make corrections. I honestly don't even care anymore, I have noting to hide and never have.

A side note, just last tuesday I received notification that my info had been compromised in 2012 and 2013 by a company that I rented game servers from. Now that I know I guess i will panic ;)
 
AK0tA said:
I honestly don't even care anymore, I have noting to hide and never have.
Click to expand...
It is not about whether you care nor is it about what you have to hide.
It is about the rest of us, And our abililty to apply for a home loan without having to worry about if our identity has been stolen.
The "I have nothing to worry about..." train of thought has left the building. You should be worried.
 
Montu said:
Less than 100K users at Sears had credit card information stolen
Click to expand...

so... where talking what.. the entire customer base left for sears??

hehehehe

but seriously.. i do not know how they are still around. i used to live close to one about 5 years ago and whenever i stopped in, the place was a ghost town, and rarely ever had what i was looking for anyways.



AK0tA said:
The odds are in favor that if you have ever been online they you have been purposefully compromised
Click to expand...


And sadly, with the likes of equifax, or any of the POS hacks, you dont even have to be "online" to get your info stolen.
 
I don’t shop at sears or delta so I guess I finally avoided one.

Fucking sweet!
 
AK0tA said:
I honestly don't even care anymore, I have noting to hide and never have.
Click to expand...
When a thief really takes you to task, they can mess you up REAL GOOD. When your credit gets absolutely destroyed, that can have massive impact on your life. It's not about having something to hide to begin with, wanting privacy doesn't mean I have something to hide. It's an old talking point some government representatives and law enforcement representatives love to trot out, but they're doing that because they want more power over you.

But on the topic itself, all these breaches suck and we want to have someone to blame. We want to know who forgot to put a machine behind a firewall, who didn't patch their OS', who installed unsecure software, etc. I think in many cases the answer is straight up that we do not value security enough and therefore leave attack vectors open. The fact is, for any of those larger corporations, the software ecosystem is huge and all you need is for one part of it to not be patches up to snuff, or to be using older technologies that have become unsafe. It can come down to protocols used in database transactions, or older encryption schemes, or unsafe hardware (spectre and meltdown, good examples of holes that were open for many months and will remain open for YEARS due to slow upgrade cycles.)

IT departments are strapped of resources left and right, and good admins who can enumerate, schedule and fix all the issues are expensive. Companies don't want to pay for those so they leave gaps. When a breach happens, so be it, disclose if you must but ultimately, not much happens. I know I don't get compensated for the various inconveniences and expenses related to freezing/unfreezing my credit all the time, in fact, I fuel the bottom line for the credit bueros who charge me for this.

I think what we need is (GASP) REGULATION (/GASP) to hold those companies responsible for any negligence. Shit, we went balls-out during the last financial crisis and put Sarbanes-Oxley controls everywhere because OUR customers DEMANDED them because if not, they could be held accountable. That needs to expand more in "computer land" for hardware and software, and the expenses need to be deemed a cost of doing business. It's a great example where the "Regulations are bad" mantra falls apart because look at where we are now. True that SOX audits include software but they go nowhere near deep enough. I had to do an audit of our software for known weaknesses, but nobody checked what protocols we use for communication, or how exactly encryption was configured.

Companies' IT should be audited regularly, software that's commercially shipped should be audited and all of it with mandatory disclosure. You ship some old piece of shit encryption DLL with terrible configuration in your financial software, you need to be held to fixing it, with penalties if you don't.

And I'll end my rant here.
 
katanaD said:
so... where talking what.. the entire customer base left for sears??

hehehehe

but seriously.. i do not know how they are still around. i used to live close to one about 5 years ago and whenever i stopped in, the place was a ghost town, and rarely ever had what i was looking for anyways.
Click to expand...

Whenever I go to Sears, the automotive section always has some customers in it. If the store is in an area with hurricanes or whatever other natural disasters, the place always sells out of portable generators a few days after they announce something is coming.

I'll see some ppl walking around the tool section. The rest of the store outside of those places is usually barren though.
 
My guess is a lot of companies out source IT, and this is creating a weakness in security. Whats even worse is if many corps use the same outsource. And that outsourced gets compromised. Then crap hits the fan.
 
Thankfully, the credit card info I had on file (which was a mistake) at Sears was old and invalid.
 
I could really care less about sears, but using Delta customers info to circumvent potential airline security seems to fire up a red flag.
 
Tired of this shit. I haven't been a customer of Sear's in a long time (used to like Craftsman hand tools...), but I use Delta frequently. This is so common place anymore.
 
BSmith said:
You know what would be nice? Aside from knowing about the breaches, it would be nice to know what the software infrastructure was being used at these sites being breached.
Click to expand...
Even nicer... stop fucking collecting credit card information! Got your payment info fine, credit card company reimburse you great move that data to a "storage" server that cant be accessed offline incase there are any charge backs, then after 30 days or whatever delete that shit and write zeroes over it

Seriously, if I dont have a receipt they wont take a return because they dont keep that info. But hey they will keep all your data until the end of time
 
sfsuphysics said:
Even nicer... stop fucking collecting credit card information! Got your payment info fine, credit card company reimburse you great move that data to a "storage" server that cant be accessed offline incase there are any charge backs, then after 30 days or whatever delete that shit and write zeroes over it

Seriously, if I dont have a receipt they wont take a return because they dont keep that info. But hey they will keep all your data until the end of time
Click to expand...

I go one better. Our credit card server is not accessible over the Internet at all. As soon as the server collects, and verifies, the card number it is stored through a back-end connection to a local server. Even that handshake is being done via proprietary software, in the advent the collecting server gets violated. Then the credit card number is encrytped and stored in the database. The decryption key is not stored on a server at all. It is locked in a safe and changed weekly.

We wipe the information after the account is closed. We only keep active information.

It may not be the best method, but it seems to work better than what a lot of companies use and I have never lost a credit card number.
 
BSmith said:
I go one better. Our credit card server is not accessible over the Internet at all.
Click to expand...
That sounds too reasonable. I mean we should have credit cards accessible to anyone with an IP address, just like our national security, secrets, power grid, etc.
 
You must log in or register to reply here.
Back
Top