Casino Breach Leads RoundupCompany Reports 2nd Intrusion into Payment Processing System
In this week's breach roundup, Affinity Gaming has reported a second unauthorized intrusion into its payment processing systems. Also, the Office of the Australian Information Commissioner says card solutions provider Multicard violated the country's Privacy Act by exposing information about 9,000 Maritime Security Identity Card applicants.
Casino Reports Second Card System Breach
Affinity Gaming, a Las Vegas-based company that owns 11 casinos, has reported a second unauthorized intrusion in less than a year into its payment processing systems for credit and debit cards.
"To fully understand this event and its implications, a thorough investigation is under way by Mandiant, a firm with globally recognized expertise in data security and IT forensics," the company says in an April 28 statement.
On May 5, the company said that there was no indication that credit card data was stolen "after late afternoon April 28," when the breach was first reported.
Affinity is working with law enforcement and gaming regulatory officials on the investigation. "We also will continue to evolve and enhance our system security, in response to new and emerging threats," the company says.
The company disclosed a similar incident in late December 2013, when its system that processes customer credit and debit cards was breached, according to a Dec. 20 statement from Affinity. According to news reports, the breach, which occurred between March 14, 2013 and Oct. 16, 2013, compromised the credit information for an estimated 280,000 to 300,000 customers.
The company did not immediately respond to a request for additional information.
Card Vendor Posted Sensitive Info Online
The Office of the Australian Information Commissioner has found that card solutions provider Multicard violated the country's Privacy Act by exposing online the personal information contained in about 9,000 applications for Maritime Security Identity Cards. A Maritime Security Identity Card allows an individual to work in maritime or offshore security zones.
Multicard stored the personal information on a publicly accessible Web server without appropriate security controls to prevent unauthorized access, according to the Australian Privacy Commissioner. The personal information was discoverable via a Google search over a four-month period. "As a result, unauthorized parties accessed and downloaded the information," the commissioner says.
Compromised information includes names, dates of birth, addresses, partial credit card numbers and expiration dates, and photographs.
Following the breach, Multicard took several steps to improve its security, including implementing an automatic alert notification system to inform the company of anomalous traffic on the site and conducting penetration testing and remediation.
While the privacy commissioner has found that Multicard's immediate response to contain the breach was adequate, it has also requested that an independent auditor hired by Multicard certify that the company has implemented planned remediation steps to improve its security, and provide a copy of the independent auditor's report.
Malware Compromises Payment Card Data
Boomerang Tags, a vendor of pet identification tags, is notifying 219 New Hampshire customers that their payment card data was compromised after malware was installed on the company's computer server.
The malware compromised the payment card data of customers who made purchases through the website between July 4, 2013, and Feb. 18. Exposed information includes name, address, payment card account number, card expiration date and security code, the company said in a statement to the New Hampshire Attorney General's office.
The company hired a computer forensic firm to investigate the incident. It has hired a new payment card processor and is designing a new website with additional security features.
Child Support Letters Misplaced
The California Department of Child Support Services is notifying several individuals that letters from the Solano County Department of Child Support Services were misplaced while in the custody of a contracted courier who was transporting mail to the post office.
"Although many of the letters were subsequently recovered, there is no way to determine if all of the letters misplaced reached their destination," according to the notification letter that was sent to the California Attorney General's office.