Authentication & Security

The Data Breaches that Haunt the Payments Industry

The estimated volume of third party fraud cases in 2013 was 34.1 billion, with a value of $6.7 billion USD. The total value of general-purpose card-not-present payments (including general-purpose credit, debit, and prepaid) has been rising at an annual growth rate of 16%. With the global e-commerce market forecast to grow at over 17% a year, representing a total value of almost $2.4 trillion by 2017, fraud prevention is becoming a big issue in the industry.

In 2012, 621 confirmed data breaches were reported in the United States, resulting in the theft of over 44 million sensitive consumer records—including millions of debit and credit card account numbers. In January 2014 alone, a single cyber-attack exposed more than 105 million identities. The lost revenue due to online fraud was an estimated $3.4 billion in 2011, increasing to $3.5 billion in 2012. This study was based on the profiling of 312 online retail companies based in the United States and Canada. According to a study by Nielson,  the global loss due to online fraud was estimated at $11.27 billion in 2012.

Here are some notable cases of payment card data breaches that clearly show that it’s high time that the $100 billion security industry steps up its game:

Chick-fil-A (Impact: 9000 customer cards at risk)

Chick-fil-A, the popular QSR chain, had received reports of potentially unusual activity involving payment cards used at a few of their restaurants. As cited by Brian Krebs in a blog posted on KrebsOnSecurity, a particular bank revealed that it had put 9000 customer cards in an alert list, all of which had Chick-fil-A locations as a common point-of-purchase. The company was first notified of limited suspicious payment card activity by its payments industry contacts. The company first came to know about the possibility through a report on December 19th last year.

Home Depot (Impact: 56 million payment cards at risk)

Home Depot had announced that a breach at its U.S. and Canadian stores, which took place over six month period, might have put 56 million payment cards at risk. Experts believed that organised gangs of cybercriminals were behind the string of breaches that affected the U.S. retail stores. Some even speculated these gangs to be of Eastern European origin. An investigation had revealed that custom-built malware was used which evaded detection once implanted.

Michaels Arts and Crafts Stores (Impact: over 2.6 million payment cards at risk)

Michaels, as well as its subsidiary Aaron Brothers, were targeted victims of a fraudulent case. About 2.6 million customer credit and debit cards, used at Michaels’ stores, had been possible targets, along with approximately 40,000 cards at the Aaron Brothers’ stores. The actual incident encompassed two separate eight month long incidents at the arts-and-crafts chain. As per official statements, the attack targeted a limited number of point-of-sale (POS) at Michaels’ between May 8, 2013 and January 27, 2014. Also, between June 26, 2013 and February 27, 2014, about 54 Aaron Brothers’ stores were affected by the attack.

Revelation by Hold Security (Impact: around 200 million payment detail records)

Hold Security, a security-research firm based in the U.S., has discovered that a Russian gang has stolen 1.2 billion username and password combinations and over 500 million e-mail IDs. The confidential data was stolen from 420,000 websites and is being dubbed the biggest theft of internet credentials to date. About 200 million personal records were stolen from Court Ventures, including social-security numbers, credit-card data, and bank-account information. The Russian hackers captured the credentials on a massive scale using botnets, which involves the use of a network of zombie computers infected with a virus. The botnet is able to test whether websites are vulnerable to a popular hacking technique called “SQL Injection.”

Supervalu Stores (Impact: around 3320 stores)

U.S. supermarket chain Supervalu faced hacking and loss of customer card data. The company saw intrusion into the network that processed the payments for some of its 3,320 stores. The data breach was believed to have taken place between June 22 and July 17. Information such as cardholder names, account numbers, and expiration dates had been stolen from cards used at point of sale systems in owned as well as franchised stores.

Target Stores (Impact: around 110 million payment cards at risk)

Probably one of the most infamous payment data breach cases ever was the massive attack on Target stores in 2013, which led to the loss of 110 million payment-card numbers and the personal information of 70 million shoppers. The PIN data was removed that was supposed to be decrypted only when received by Target’s external, independent payment processor. As per recent updates, the data breaches cost the retailer around $162 million.

14-MWH-1703-Cayan-300x250 (Impact: 110,000 payment cards at risk)

The UK based, online travel insurance company was fined a sum of £175,000 by the U.K.’s Information Commissioner’s Office after data was stolen by hackers. During the attack, around 110,000 payment cards details, related to around 93,400 customers, were put at risk. The company had incorrectly stored the CVV numbers, failing to meet a key part of PCI DSS requirements. The hackers were able to identify the keys used in encrypting the data and then used these to decrypt payment card numbers.


Ray has keen interest in the area of devices, OS and wireless technologies. He is a Mobile Technology enthusiast and believes that Mobility is going to completely change the way we do Payments and Commerce. He wishes to share this belief with the world by providing such content through LetsTalkPayments. Ray has done his engineering as well as MBA.

Apply to Become a Contributor