Categories: SecurityWorkspace

IEEE Reveals Massive Credit Card Breach

The Institute of Electrical and Electronics Engineers has become the latest organisation to experience a highly damaging data breech after it notified more than 800 of its members that their credit card and personal information have been stolen from a member database.

The engineering’s society’s acknowledged the 17 November breach to the New Hampshire attorney-general on 24 February. Attackers may have obtained access to credit card information and the associated names for approximately 828 IEEE members, according to the letter.

The November hack was described as a “sophisticated network intrusion” by a third-party, in the letter IEEE sent to members. The draft form of the letter was sent to the New Hampshire attorney-general’s office.

FBI Called In

The IEEE discovered the breach and reported it to the FBI in December, according to the letter. A team of forensic investigators identified which data was missing on 10 February. The team also found and fixed security vulnerabilities that allowed the attackers to penetrate the system, Nathaniel Akerman, of legal firm Dorsey and Whitney, wrote in the letter.

With over 400,000 members globally, IEEE claims on its website to being the “world’s largest technical professional society.” Members work in varied fields such as aerospace, information technology, nuclear engineering, robotics and manufacturing.

According to the letter, only one of the affected members was a New Hampshire resident, but New Hampshire’s mandatory breach-notification laws requires organisations to report all breaches to the attorney-general’s office if it involves any of the state’s residents. There are similar laws in place for over 38 states.

Maryland’s attorney-general office has also been notified. The office declined to say how many affected members were Maryland residents.

The IEEE had obtained credit card information for members when they had registered for an IEEE conference, the letter sent to affected members said. According to the customer letter, it appears that the card identification number (also known as CSC, CVC and CID numbers), the three-digit code usually found on the back of the card, was also among the information stolen. The stolen information included the credit card number, cardholder name, expiration data, and the CID code.

Protection Questions

This raises some questions about IEEE’s data storage procedures. Storing the CID is a violation of the Payment Card Industry Data Security Standard (PCI DSS), under PCI DSS Requirement 3.2.2 as listed on the PCI Security Standards Council website.

The actual credit card number is also supposed to be stored as an encrypted value, such as a strong one-way hash or using strong cryptography, mandated by PCI DSS 3.4 requirement. It’s not clear at this time how IEEE stored the credit card numbers, but the CID information should not have been stored in the first place. Most organisations tend to ask for the code, use it for validating the transaction, but not save it in the system.

IEEE encouraged members to check their credit card statements carefully, to cancel current cards, and to check their credit information. IEEE also offered a one year subscription to LifeLock credit monitoring service.

It also remains unclear whether the attackers just hit IEEE looking for credit card information and other personal information, or if there was another motive. Many of IEEE members work in sensitive industries and organisations.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

15 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

17 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

18 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

19 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

22 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

23 hours ago