- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
More proof that vending machines are bad for you
My Computerworld colleague and friend Jaikumar Vijayan wrote about Vacationland Vendors disclosing a data breach affecting some 40,000 people who visited waterpark resorts in Wisconsin and Tennessee between December 2008 and May 2011.
I've always had trouble with vending machines, though I don't fault the vendor. I just simply couldn't help shoving all my money into these things so I could get my fill of junk food. I haven't eaten vending machine food in quite awhile, and the last time I did it was cash only.
Now most of them have the credit card option, which is like junk food for the bad guys. If they can find a way to exploit security holes in the card-swiping machinery, they can binge on your data.
How do they do this? Vijayan says in his article:
Vacationland Vendors said that an unknown intruder had broken into certain parts of its point-of-sale systems used to process payment-card transactions at Wilderness Resorts locations in Tennessee and in the city of Wisconsin Dells, Wis. Breaches of point-of-sale networks have typically involved the use of malicious software to sniff out and intercept payment card data as the information is transmitted to the bank for authorization. The massive compromise at Heartland Payment Systems , which resulted in the exposure of tens of millions of credit and debit cards, for instance, resulted from a breach of the company's point-of-sale network.
But the vendor doesn't explain how exactly hackers made it in. At the moment, it denies a security vulnerability is to blame.
Did an individual hacker or hackers go to the vending machines and tamper with the card-swiping devices? Or did they hack into the company network and find the place where all the data is collected?
Time will tell. For now, the vendor has the following statement on its website to give customers some direction:
This notice pertains to any customer who used a credit card or debit card at the Wilderness Resorts in Wisconsin or Tennessee from December 12, 2008 to May 25, 2011. In advance, Vacationland Vendors apologies for any inconvenience that you may experience from the circumstances described below.
Vacationland Vendors recently discovered that an unauthorized person wrongfully accessed certain parts of the point of sales systems that Vacationland Vendors uses to process credit and debit transactions at the Wilderness Resorts. Based upon its investigation to date, Vacationland Vendors reasonably believes that a computer hacker improperly acquired credit card and debit information. This incident did not involve an internal security issue within the Wilderness Resort. Vacationland Vendors has learned that other businesses just like its’ own have been affected by this computer hacker.
Vacationland Vendors has moved swiftly to address this unfortunate incident and is working with an outside consultant to ensure that its point of sale systems are secure and protected from any further intrusions.
If you have used your credit card or debit card at the Wilderness Resort locations from December 12, 2008 through May 25, 2011, please consider taking the following immediate steps in order to prevent the unauthorized and unlawful use of your personal information:
Watch for any unusual activity on your bank statements, credit card account or suspicious items on your bills.
Contact any of your credit card issuers, banks or credit unions, and inform them of this incident.
Place a fraud alert on your consumer credit file. A fraud alert instructs creditor to watch for unusual or suspicious activity in your accounts, and provides creditors with notice to contact you separately before approving an extension of credit. To place a fraud alert, free of charge, contact one of the three national credit reporting agencies listed below. You do not need to contact all three; rather, the agency that you contact will forward the fraud alert to the other two agencies on your behalf.
Information Services LLC
P.O. Box 105069
Atlanta, GA 30348-5069
Fraud Victim Assistance Dept
P.O. Box 6790
Fullerton, CA 92834
Finally, information about personal identity theft and fraud may be obtained from the Federal Trade Commission at http://www.consumer.gov.idtheft or by calling 1-877-ID-THEFT
If you have any further questions about this incident, please contact Vacationland Vendors at firstname.lastname@example.org
Again, Vacationland Vendors deeply regrets any inconvenience or concern this incident may cause you.
Posted by Vacationland Vendors.
CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.