ElectraCard Services was one of two payment processors in India named in conjunction with that massive $45M cyberheist. The other one is reportedly EnStage, Inc. Read more on ManoramaOnline.com.
Dinesh Nair and Jessica Dye of Reuters report that one of the card processors whose security was breached in a $45 million global cyber heist was India’s ElectraCard Services. No one has confirmed that officially, however, as the sources spoke on condition of anonymity. You can read the Reuter’s exclusive coverage here.
Amy Chozik and Ben Protess report on what the NYT calls a privacy breach, but is also a security breach, in my opinion:
A shudder went through Wall Street on Friday after the revelation that Bloomberg News reporters had extracted subscribers’ private information through the company’s ubiquitous data terminals to break news.
The company confirmed that reporters at Bloomberg News, the journalism arm of Bloomberg L.P., had for years used the company’s terminals to monitor when subscribers had logged onto the service and to find out what types of functions, like the news wire, corporate bond trades or an equities index, they had looked at. Bloomberg terminals, which cost an average of more than $20,000 a year, are found in nearly every banking and trading company.
Bloomberg said the functions that allowed journalists to monitor subscribers were a mistake and were promptly disabled after Goldman Sachs complained that a Bloomberg reporter had, while inquiring about a partner’s employment status, pointed out that the partner had not logged onto his Bloomberg terminal lately.
Read more on NY Times.
Zachary Seward has a companion piece on Quartz, called, What Bloomberg employees can see when they snoop on customers.
This will be one for the books… and Hollywoood spinoffs. Jessica Dye and Jim Finkle of Reuters report:
The government charged eight people with using data obtained by hacking into two credit card processors in a worldwide scheme that netted some $45 million within hours, a crime prosecutors described as one of the biggest bank heists in history.
The individuals formed the New York-based cell of a global cybercriminal organization that stole MasterCard debit card data from two Middle Eastern banks, the Justice Department said. The information was used to make more than 40,500 withdrawals at automated teller machines in 27 countries, prosecutors said.
Tomren Wealth Management sent out notification letters recent following a server breach that occurred between February 21 and March 6, when the intrusion was discovered.
“The forensic examiners found spamming software was loaded onto the machine in a failed attempt to send out ‘junk” spam emails, however, we have been unable to determine whether the unauthorized party accessed any personal infonnation relating to you,” Michael Tomren wrote to those affected. Clients’ personal information stored on the server included names, Social Security numbers, driver’s license information, and clients’ FSC broker account numbers.
“At no time was there ever any access to your actual accounts and holdings with our firm,” Tomren reassured clients. “We have reviewed the daily transaction reports and we have found no irregularities. We have examined and will continue examining the measures we can take to help prevent incidents of this kind in the future. For example, we have upgraded the firewall, changed all passwords, deleted certain applications and hired forensic examiners to ensure the system is and will be free of threats.”
The San Ramon-based firm offered affected clients free credit protection for two years and reported the incident to the California Attorney General’s Office.
OneWest Bank has been notifying customers of a breach that occurred back in 2011.
According to their letter, a copy of which they submitted to California under the state’s breach reporting requirements, the bank
recently learned that one of our service providers, was the victim of an illegal and unauthorized intrusion into its network (“Network Intrusion”) during the first quarter of 2011. In response, the service provider enhanced the security of its network systems, cooperated with law enforcement including the United States Secret Service (“USSS”), and investigated using leading outside security firms.
Information that was accessed included customer information such as name, address, birthdate, phone number, drivers license number, passport number, and Social Security Number. The bank does not believe that the data were downloaded or copied, but offered customers free credit monitoring services.
The letter does not state when the unnamed vendor first learned of the breach or how it learned of it. I emailed the bank on Wednesday to inquire, and although they indicated they would get back to me with information, I have not heard back from them with answers to those questions. So… did the vendor know about this years ago or months ago and first informed them now, or did the vendor first learn of the breach now, and in any event, how did the vendor learn of the intrusion?
Somewhat surprisingly – particularly in light of the delayed discovery and notification – I do not see any apology from the bank in their notification letter or even recognition that customers might be dismayed or angry about the delayed notice.