Jan 162018

There’s an update to the Jason’s Deli breach noted previously on this site.   As of January 11, the firm posted on its site:

On December 22, 2017, Jason’s Deli was notified by payment processors that credit card security personnel had informed it that a large quantity of payment card information had appeared for sale on the “dark web,” and that an analysis of the data indicated that at least a portion of the data may have come from various Jason’s Deli locations. Jason’s Deli’s management immediately activated our response plan, including engagement of a leading threat response team, involvement of other forensic experts, and cooperation with law enforcement. We released a preliminary public statement on December 28, 2017 describing the situation and our initial response.

From our initial investigation findings, criminals deployed RAM-scraping malware on a number of our point-of-sales (POS) terminals at various corporate-owned Jason’s Deli restaurants (see below for a list) starting on June 8, 2017. During the course of the investigation, our response team contained the security breach and has also disabled the malware in all of the locations where it was discovered.

What Information Was Involved?

Based on the facts known to Jason’s Deli at this time, we believe that the criminals used the malware to obtain payment card information off of the POS terminals beginning on June 8, 2017. Our investigation has determined that approximately 2 million unique payment card numbers may have been impacted. Specifically, the payment card information obtained was full track data from a payment card’s magnetic stripe. While this information varies from card issuer to card issuer, full track data can include the following: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. However, it should be noted that the cardholder verification value that may have been compromised is not the same as the three-digit value printed on the back of certain payment cards (e.g., Discover, MasterCard, and Visa) or the four-digit value printed on the front of other payment cards (e.g., American Express). In addition, the track data does not include personal identification numbers (“PINs”) associated with debit cards.

What Are We Doing?

Since the breach was discovered, Jason’s Deli has worked closely with third-party forensics and cyber security firms, as well as federal law enforcement, to investigate and contain the breach.

You can read the full notice here. A listing of potentially affected Jason’s Deli locations appears under their notice on that page.

Thanks to @fanCRTCProfling for calling this to my attention.

Jan 162018

Reuters reports:

Jan. 10 – China’s cyber watchdog has scolded Ant Financial, Alibaba’s payment affiliate, for compromising user privacy after many users of its Alipay service were automatically enrolled in its credit scoring system.

The Cyberspace Administration of China (CAC) said in a statement it had summoned Ant Financial representatives to a meeting last Saturday and told them they had failed to meet the country’s personal information security standards.

Read more on Reuters.

Jan 162018

Brandon Hill reports:

Yesterday, we reported that OnePlus had a potential serious security breach on its hands following reports from dozens of customers that they had experienced fraudulent activity on their credit cards after purchasing phones from the company’s website. Security firm Fidus researched the issue and found that a small vulnerability in OnePlus’ credit payment processing platform on the website could be ripe for attack.

Read more on HotHardware

Jan 162018

Joe Pinkstone reports:

SinVR, a virtual reality porn app with 20,000 members, had a huge security flaw that exposed the personal details of its members to potential hackers.

SinVR is a app that allows people to explore different sexual scenarios and interact with various characters in the virtual world.

London-based cybersecurity firm Digital Interruption found a hidden ‘backdoor’ in the software which gave outsiders access to the user names and emails of the members.

Of note, the security firm attempted to responsibly disclose to SinVR, but reportedly received no reply, leading them to go public with their findings.

Digital Interruptions tracked down usernames, emails and even PayPal details of customers.

Once SinVR (finally?) became aware of the problem, it seems to have been addressed fairly quickly.

Read more on Daily Mail.


Jan 152018

Cue Peter, Paul, and Mary singing, “When will they ever learn? Oh, when will they ever learn? Oh, when will they ever learn?”

The best place to store your private keys of your production environment is probably NOT a public Amazon AWS S3 bucket. This is a top 500 “Cybersecurity” company btw. 🙂