Card Security Issues After Attack At Arnolds

January 27, 2015

Arnold’s has been the victim of a malware attack, which the company said has “resulted in overseas fraudsters accessing information from some of the cards used for transactions at our stores and making purchases abroad.”

Company President Frank Arnold said, “I regret to advise our valued customers that our business has been the unfortunate victim of a malware attack on the card information held on our servers and protected by anti-virus software.

“This has resulted in overseas fraudsters accessing information from some of the cards used for transactions at our stores and making purchases abroad over the course of the last five weeks.

“When our card processor, HSBC, notified us of the attack on Friday, I took immediate steps to protect our customers. I immediately stopped accepting cards Friday evening and I brought in specialized IT technicians to investigate the cause of the problem and to take appropriate countermeasures.

“They have worked tirelessly over the weekend and are making sure that our systems are once again secure. We hope to be accepting cards again using a new secure wireless solution provided by HSBC by end of day Tuesday.

“In the event that customers suspect any irregular activity on their card, I would request them to contact their bank directly who will be able to assist. As a precaution, customers should carefully review their bank statements for December 2014/ January 2015.

“I sincerely apologize for any inconvenience that this attack may have caused. Please be assured that I am working towards rectifying this situation as quickly as possible and I will keep you updated,” added Mr Arnold.

In response, an HSBC Bermuda spokesperson stated: “We confirm that as a result of fraud attack on a local retail card merchant, together with some other Bermuda-based banks, a number of HSBC cards have also been affected.

“The matter is under investigation. We have taken preliminary precautionary measures. However, in the event a customer suspects any irregular activity on their cards, we request them to immediately inform the bank.”

Read More About

Category: All, Business, Crime, News, technology

Comments (30)

Trackback URL | Comments RSS Feed

  1. what... says:

    They KEEP credit card information? Why??

    • just a small town girl says:

      Its a part of invoicing. When you swipe the card it doesn’t automatically go straight through. same thing with restaurants, bars, etc etc

      • what... says:

        To store numbers in that way you need to meet certian compliance standards (PCI) which requires the numbers (if stored) to be stored in an encrypted state.

    • N Lombardi says:

      They are required to keep this information for a period of time, should the customer question a charge, the Merchant need to research the transaction. With out the credit card information, the Merchant can’t locate the transaction, and can not assist the Bank, in which then, can not assist the customer with the question.

      • what... says:

        True, but there is NO need to store the entire CC number.. only the Cardholder name and last 4 didgits of the number. This is all the banks need for reference. Holding the entire number gives your company some financial respocability for fraudulent charges made on the stolen numbers (read the fine print on your processing agreement)

        • Anbu says:

          No it doesnt

        • N Lombardi says:

          When has this become my company? Why my responsibility? I do not know about Arnolds, but guessing as they have several outlets, and being a supermarket, they must go through thousands of transaction a day. The card get swiped automatically, do you suggest that later they go and delete the rest of the numbers? I do agree that they should be encrypted. But look at what happen to HSBC in the Fall, they also got attacked, I am sure they were encrypted. The problem here, is progress. An invention is always made to better our self, make life easier, but as with computerized age, things are faster and faster, we (not me) do not have time any longer for the small details. Here is were those selected few find time for loopholes, to take advantage of us. In beating you to the punch, I agree that the inventors, the company and corporation, should have some responsibility, but they don’t, if they did, company like Apple Computers, will do their do diligent, before releasing an Iphone, that has issues from day one.

          • Hear hear.

            As I said earlier the issues that Arnolds is having probably lies solely with HSBC’s solution.

            Also if you’re clearing over 50k per month in sales you could probably reasonably use a better more modern solution using 2CheckOut + Shopify’s POS system.

            This system probably sees A LOT more volume than HSBC’s POS solution and so more of its kinks have been worked out.

      • Brian says:

        There are regulations (Payment Card Industry Data Security Standards) that require cardholder data to be unreadable “if required”. A retailer does not require it… in fact, the regulations strongly discourage storing the information.

        A retailer can use a transaction number for invoicing purposes. A retailer can find the transaction without the card number. Retailers should be finding other ways to track transactions without the need to store a credit card number. The POS or transaction payment process that Arnolds has implemented is flawed.

  2. kat says:

    Good lord above dont sleep ……

  3. CoCo says:

    **sent

  4. Bermudian. says:

    Why the hell do they keep that info in the first place.

  5. bermudaglobetrottersdotcom says:

    Cash is king…

  6. Cecelia Pitt says:

    Please tell me that is where my $1000 is_I’m a Senior and Hungry!

  7. P says:

    All of arnolds stores or one in particular?

  8. P says:

    customs needs to start searching these americans how they search bermudians down at customs.

  9. Retarded people says:

    How it take u 5 weeks to realize this!!!!

  10. Big Burt says:

    Mine got stolen last week and I had to get a new card. This explains it. Luckily I have no money for the person to steal as they tried to spend 300 but it declined lol.

  11. Brian says:

    The incident spanned the last 5 weeks?! What are the other banks doing to immediately disable debit or credit cards used at Arnolds during that time?

    For what it’s worth, I just reported six unauthorized transactions (totalling $1010) to my bank. I’m unsure if it’s related. The purchases were made at Gamestop and Walmart in the City of Industry California.

    I hope Arnolds is aware that in cases like the Target breach, retailers are being to be held liable for data breaches due to inadequately protecting customer information.

    As for storing the credit card number, I strongly disagree that retailers need to store this information. Arnold should reconsider their POS and how cards are processed (not just anti-malware and protection of their infrastructure).

  12. Jennifer says:

    I think it would be good measure for other merchants, who may be using the same software, to look into the problem and make sure their machines weren’t commpromised as well. I heard that someone who ONLY uses their card at a gas station had her card compromised as well. Just a suggestion.

  13. If the card information held on Arnold’s servers that were protected by anti-virus software were compromised then why is HSBC notifying Arnolds?

    And how is using a new secure wireless solution provided by HSBC going to solve that?

    This doesn’t make any sense from a technology standpoint:

    - Servers are usually offsite
    - Servers usually belong to the provider (i.e. HSBC in this case)
    - Fixing the in-store terminal won’t fix the server
    - Servers are usually protected by more than just anti-virus software, if that’s the only protection it has I’d be worried
    - Wireless solutions are challenging to secure properly

    It’s possible that there is some confusion about the issues and technology involved. It would of been safer just to quote HSBC and left out the technology elements from the article.

    If you need to include it I would be asking more questions from Arnolds and HSBC Bermuda.

    • Brian says:

      Reading between the lines we can only conclude that:

      1. HSBC may have detected this because they have fraud monitoring for their customers
      2. Card numbers were likely not encrypted before being sent to HSBC

      • And it’s a solution provided via HSBC.

        Hopefully their wifi isn’t susceptible to Reaver attacks or other common wireless exploits.

  14. Y-Gurl says:

    I hope all the other retailers in Bermuda are paying attention and taking the appropriate measures to protect their customers information!

  15. Truth is killin' me... says:

    Don’t shop with credit cards. Only use cash…then risk getting mugged and bopped on de head inna de process. CAN’T WIN THESE DAYS!

    • Codfish and Potatoes says:

      I think the idea is to stay away from Arnolds. Why are they the only retailer that got hacked??

      • Bermerican says:

        And why was Target hacked and not Walmart/Macy’s/Sears? Crap happens. Yet, I still shop at Target. I’m sure other retailers on the island are at the same level of risk and they now have had a wake-up call.

  16. Brian says:

    Are any of the banks enforcing that merchants comply with payment card industry data security standards?

  17. ABC says:

    sue arnolds like sony

    make all de money in world but cant protected de constumers

    sue dem

  18. Sargasso says:

    There is absolutely NO valid reason for Arnolds to keep any part of the card number. Once the approval code has been issued the card info is not required.
    If the system used bank hardware then this info was not kept.
    If Arnolds was using it’s own system then they must accept the liability for the consequences of the data leak.
    The article does not make it clear either way.
    Sounds like an inside job to me………