Blog :: General

Lax Companies Now Legally Liable for Credit Card Theft

For too long, some companies have shirked their responsibility to protect their customer’s personal information. Furthermore, it is believed that these companies simply gave lip service to how they went to great lengths to protect customer information.  Do you think it’s true that many companies don’t make customer confidentiality a big enough concern? Well for many, this is about to change.

Corporate lax attitude toward Cyber Security

Apparently, some executive management teams simply don’t really care much if customer information is stolen as long as they still have access to it locally.  Supporters believe that execs don’t see how another person having the data outside of their company could hurt their profits.  As long as the company still has it, they can still reach the customer, solicit more business and make money.  These companies haven’t felt the pain brought on by ransomware yet.

If these companies simply don’t care that much about being hacked, they certainly know how to put on a show that “security is of paramount of concern.”  What do you think, are some companies simply bragging about the millions of dollars spent to re-enforce cyber security defenses but, in truth doing very little?

Subway Restaurants Hacked

Take Subway restaurants for example where 146,000 victims had their credit cards stolen which led to $10 million in fraudulent charges. source After investigating the incident, researches learned that some sandwich shops had “directly and blatantly disregarded” the franchisees security and POS configuration standards. Who paid for the $10 million in losses? In most cases like this, the banks have taken the hit plus they pay the expense to reissue new credit cards. All of this is of course passed onto their customers (I.e. you and me). BTW: Subway later announced that they spent money to reinforce their cyber security but, other than this expense, how were they hurt when their customer’s identity was stolen? Answer: maybe they weren’t much at all as cyber crime happens so frequently these days that it probably didn’t put a dent in their good will.

Credit Card Theft

A New Wind is about to Blow

This lack of caring will change in the near future for 3 reasons:

  • Starting Oct 1st, 2015, merchants are now FULLY LIABLE for credit card theft instead of the banks. This should be significantly motivating for lax corporate security efforts.
  • Ransomware: infections on computers can lockup a computer until a key is entered. The key is usually obtained after making a ransom payment in bitcoin or other method. Sound scary? You bet it is especially when it locks up the mapped drives on the server which prevents everyone else from accessing the data. This form of extortion is growing.
  • Sometimes the theft does hurt the victim as in the case where Subway had gift cards stolen: Subway had “$40K in gift cards” stolen from them.

Court Rules The Government Can Punish Cyber-attack Victims

On Monday, in a 3-0 decision, The United States Court Of Appeals for the Third Circuit ruled that the Federal Trade Commission has the authority to sue companies for allowing hackers to steal customer data from their computer systems. The court’s ruling sends the FEDERAL TRADE COMMISSION v. WYNDHAM WORLDWIDE CORPORATION case back to the lower court.

In 2008 and 2009 hackers absconded with the personal data of over 600,000 Wyndham Hotel customers which resulted in more than $10 million in losses.

The court determined that lack of adequate security provided by Wyndham is, in fact, engaging in “unfair or deceptive acts or practices in or affecting commerce” – the very thing the FTC is designed to prevent.


Read the actual ruling.

Beef Up Cyber Security

What can we do to beef up our cyber security defenses?

  • Monitor DNS traffic: odd DNS traffic patterns are often indicative of malicious activities.
  • Monitor internal communications: baseline the traffic behaviors of servers hosting your most important sources of data. Setup triggers for odd patterns.
  • Watch end systems for excessive uploads to the Internet.

Need help performing the above? Contact our experts for a complementary consultation and evaluation.