Title: Open Letter to Customers of Hancock Fabrics - Hancock Fabrics.com
Date: 05/05/10
Business Activities: Security - Physical Safeguards, Security - Technical Safeguards, Breach Response
Impact to Subscriber:

A retailer admits that PIN pad units at a limited number of stores were stolen, and replaced with visually identical but fraudulent PIN pad units, which may have allowed criminals to capture or "skim" payment card data during transactions; the retailer has upgraded the PIN pad units at the point of sale in all stores with new PIN pad units that were designed to meet the toughest security requirements, installed automated systems to monitor each of the PIN pad units daily to look for suspicious activity, and implemented new store-wide policies with respect to daily inspection of the PIN pad units.
Authority:
Risk Guidance:
Control Guidance:

Relevance:
Background Facts:
  • Hancock Fabrics experienced a series of security breaches in 2009 in several states caused by tampering with its point-of-sale ("POS") machines. 

Relevance to Business Activities:
  • security - physical and technical safeguards considerations:
    • bank customers in California, Wisconsin, and Missouri reported fraudulent ATM withdrawls that police said were tied to transactions conducted with the Hancock Fabrics retail chain:
      • in California, 60 residents reported their cards being used by thieves, and in one case $840 in cash withdrawls were made;
      • 70 Wisconsin victims reported suspicious ATM withdrawls from their accounts:
        • the total loss is in the $40,000 range.
      • at least 10 customers in Missouri reported their debit card numbers and PIN numbers stolen during the week of November 9:
        • at minimum $3,000 was taken from two bank accounts.
    • Hancock Fabrics admits that, in the August and September timeframe, PIN pad units at a limited number of stores were:
      • stolen and replaced with visually identical but fraudulent PIN pad units:Risk
        • this may have allowed criminals to capture or "skim" payment card data during transactions.Risk
    • Hancock confirmed that the data accessed may have included customer information such as:
      • the name printed on a customer’s payment card;
      • the card number;Risk
      • the card expiration date;Risk
      • a PIN number when one was entered in a PIN debit transaction.Risk  

 

  • breach response considerations:
    • Hancock Fabrics has:
      • been co-ordinating with federal and local law enforcement to assist in the investigation of this crime;
      •  implemented additional layers of security designed to prevent a recurrence of this type of theft in the future - the measures include:
        • upgrading the PIN pad units at the point of sale in all stores with new PIN pad units that were designed to meet the toughest security requirements;Control
        • working with forensic investigators:
          • to analyze the extent of any unauthorized access to customer information; and
          • to identify and address any issues that have been identified.
        • installing automated systems to monitor each of the PIN pad units daily to look for suspicious activity;Control and
        • implementing new store-wide policies with respect to daily inspection of the PIN pad units.Control
      • recommended that customers review their account statements closely:
        • if suspicious activity is detected, the customer should promptly:
          • notify the relevant financial institution; and
          • report any fraudulent activity or suspected incidence of identity theft to the appropriate law enforcement authorities, including the Federal Trade Commission; and
          • place a fraud alert on credit report by calling Trans Union, Experian, or Equifax.
    • Charter Oak Bank in California had four customers report missing money from their accounts totalling under $10,000 - in response the bank has:
      • issued new cards to the customers;
      • put new measures on transactions, including:
        • IP address restrictions.Control
      • held fraud presentations for its cash management customers.Control


Source Documents:

http://www.hancockfabrics.com/Open-Letter_stcVVcatId551163VVviewcat.htm

http://www.bankinfosecurity.com/articles.php?art_id=1961

Privacy Statement · Legal notice