Description
On August 16, the Oregon Zoo reported on August 16 that the credit card information of more than 117,000 people who had visited the year was stolen. This discovery resulted from a 6 week long investigation into a payment skimming malware attack on the zoo’s payment platform, managed by a contracted vendor. The investigation began after suspicious activity was detected in June 2024 and revealed that an unauthorized user had redirected customer transactions to a third-party server controlled by attackers. Any transactions processed by the third-party vendor between December 20,2023 and June 26, 2024, may have been compromised. The exposed information includes the names of the card holders, payment card number, CVV and expiration date. The zoo has filed breach notifications with regulators from multiple states across the U.S.
Actions Taken
Federal law enforcement agencies were notified immediately upon discovery of the incident and a new payment platform was put into place. The Oregon Zoo reviewed all transactions that took place throughout the attack period to identify anyone whose payment card information may have been affected. The zoo is providing free credit monitoring to all affected card holders.
Prevention
This case is a prime example of how important adherence to the Payment Card Industry Data Security Standard (PCI DSS) is. PCI DSS sets forth stringent security controls that organizations that process card transactions must follow to remain compliant. Be aware that the recent PCI DSS v4 has now been published, which requires additional security measures beyond those in version 3.2. HALOCK Security Labs has PCI DSS specialists who can guide you through the latest changes in the standard and evaluate your systems for compliance. HALOCK can assist in navigating these updates and provide a comprehensive PCI compliance assessment to determine the appropriate scope of PCI compliance for your organization.
This example underscores the critical importance of thoroughly vetting all third-party and supply chain vendors. Your business’s security is only as strong as that of the partners, providers, and contractors that connect to your network. Proper vendor assessment involves conducting due diligence to ensure vendors prioritize data privacy and security
Card skimming schemes often involve the manipulation of the card reader itself. Businesses that use credit card terminals should use ones that are tamper resistant and do not allow the overlay of skimming devices. Employees should be properly trained to recognize and respond to signs of compromised terminals and understand the importance of handling payment information in a secure fashion. Regular security audits should be conducted to inspect all card terminals and confirm their security. Monitoring software should be in place to scan for configuration changes on any of the servers and devices that comprise the payment platform.
HALOCK recognized in 2024 Verizon Data Breach Investigations Report (DBIR) on how to estimate risk.
Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.