Tag Archives: compromised data

‘Woefully lax’: report slams CIA cybersecurity after hacking tool leak

By Raphael Satter

(Reuters) – Many of the Central Intelligence Agency’s most sensitive hacking tools were so poorly secured that it was only when WikiLeaks published them online in 2017 that the agency realized they had been compromised, according to a report released Tuesday.

The secret-spilling site drew international attention when it dumped a vast trove of malicious CIA code on the internet in March 2017.

The digital tools, sometimes described as “cyber weapons,” provided a granular look at how the CIA conducts its international hacking operations. It also deeply embarrassed the U.S. intelligence community, which has repeatedly been hit by large-scale leaks over the past decade.

An internal CIA report dated October 2017 and released by Democratic U.S. Senator Ron Wyden on Tuesday described security at the agency’s Center for Cyber Intelligence – the unit responsible for designing the tools – as “woefully lax.”

“Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,” the report said. It described the WikiLeaks disclosure as “the largest data loss in CIA history.”

The CIA declined to comment specifically on the report, saying only that it “works to incorporate best-in-class technologies” to keep ahead of security threats.

The report, drawn up by the CIA’s WikiLeaks Task Force, was heavily redacted, but it called out failures at the Center for Cyber Intelligence, which the report’s authors said was too focused on building hacking tools rather than securing them.

In a letter accompanying the report, Wyden suggested that the weaknesses highlighted by the report “do not appear to be limited to just one part of the intelligence community,” which he said was “still lagging behind.”

(Reporting by Raphael Satter; editing by Jonathan Oatis)

Saks, Lord & Taylor hit by payment card data breach

The Lord & Taylor flagship store building is seen along Fifth Avenue in the Manhattan borough of New York City, U.S., October 24, 2017. REUTERS/Shannon Stapleton

By Jim Finkle and David Henry

TORONTO/NEW YORK (Reuters) – Retailer Hudson’s Bay Co on Sunday disclosed that it was the victim of a security breach that compromised data on payment cards used at Saks and Lord & Taylor stores in North America.

One cyber security firm said that it has evidence that millions of cards may have been compromised, which would make the breach one of the largest involving payment cards over the past year, but added that it was too soon to confirm whether that was the case.

Toronto-based Hudson’s Bay said in a statement that it had “taken steps to contain” the breach but did not say it had succeeded in confirming that its network was secure. It also did not say when the breach had begun or how many payment card numbers were taken.

“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the statement said.

A company spokeswoman declined to elaborate.

The breach comes as Hudson’s Bay struggles to improve its financial performance as a tough retail environment has weighed on sales and margins. Last June, it launched a transformation plan to cut costs and is working to monetize the value of its substantial real estate holdings.

Hudson’s Bay disclosed the incident after New York-based cyber security firm Gemini Advisory reported on its blog that Saks and Lord & Taylor had been hacked by a well-known criminal group known as JokerStash.

JokerStash, which sells stolen data on the criminal underground, on Wednesday said that it planned to release more than 5 million stolen credit cards, according to Gemini Chief Technology Officer Dmitry Chorine.

The hacking group has so far released about 125,000 payment cards, about 75 percent of which appear to have been taken from the Hudson’s Bay units, Chorine told Reuters by telephone.

The bulk of the 5 million card numbers that JokerStash said it plans to release are likely from Saks and Lord & Taylor, but it is too early to say for sure, Chorine said.

“It’s hard to assess at the moment, primarily because hackers have not released the entire cards in one batch,” he told Reuters.

Alex Holden, chief information security officer with cyber security firm Hold Security, confirmed that the 125,000 cards had been released by JokerStash but said it was too soon to estimate how many had been taken from Hudson’s Bay.

If in fact millions of records were stolen, the breach would be one of the largest involving payment cards in the past year, but it would still be far smaller than any of the biggest thefts on record, which occurred a decade ago.

Hackers stole more than 130 million credit cards from credit-card processor Heartland Payment Systems, convenience store operator 7-Eleven Inc and grocer Hannaford Brothers Co, from 2006 to 2008, according to U.S. federal investigators.

Cyber criminals stole some 40 million payment cards in a 2013 hack on Target Corp and 56 million from Home Depot Inc in 2014.

Hudson’s Bay said there is no indication its recent breach involved online sales at Saks and Lord &Taylor outlets or its Hudson’s Bay, Home Outfitters and HBC Europe units.

The company said that customers will not be liable for fraudulent charges resulting from the breach.

(Reporting by Jim Finkle in Toronto and David Henry in New York; Editing by Bill Rigby and Steve Orlofsky)