Limo Company Hack Exposes Juicy Targets, 850k Credit Card Numbers

← Back to Stories (view on slashdot.org)

Limo Company Hack Exposes Juicy Targets, 850k Credit Card Numbers

Posted by timothy on Tuesday November 5, 2013 @05:13AM from the taken-for-a-ride dept.

tsu doh nimh writes "A compromise at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities. Krebsonsecurity.com writes about the break-in, which involved the theft of information on celebrities like Tom Hanks and LeBron James, as well as lawmakers such as the chairman of the U.S. House Judiciary Committee. The story also examines the potential value of this database for spies, drawing a connection between recent personalized malware attacks against Kevin Mandia, the CEO of incident response firm Mandiant. In an interview last month with Foreign Policy magazine, Mandia described receiving spear phishing attacks that spoofed receipts for recent limo rides; according to Krebs, the info for Mandia and two other Mandiant employees was in the stolen limo company database."

43 comments

Min score:

Reason:

Sort:

A-List Spear Phishing by ponraul · 2013-11-05 05:14 · Score: 2

That's hot.
1. Re:A-List Spear Phishing by Anonymous Coward · 2013-11-05 05:33 · Score: 1
  
  Too bad Brian Krebs is always raining on our parade.
Good by Anonymous Coward · 2013-11-05 05:20 · Score: 2, Funny

Exposing the personal information of 30 million people wouldn't bother those in power. But those in power having their information hacked? Finally, we may see some protection of data--at least for those in power.
Hold Them Responsible by Jane+Q.+Public · 2013-11-05 05:21 · Score: 3, Interesting

When are corporations going to be held responsible for the security of their customers' information?

If things like credit card information are stored in cleartext, the corporation doing it should be fined and the people responsible prosecuted if there is a leak. It's just gross irresponsibility, for which nobody has seemed to get punished.

That needs to change.
1. Re:Hold Them Responsible by Anonymous Coward · 2013-11-05 05:24 · Score: 1
  
  When are corporations going to be held responsible for the security of their customers' information?
  Probably now since this actually targets someone in charge.
  The problem is that the "fix" will be to only hold corporations responsible if someone "important" is hurt.
2. Re:Hold Them Responsible by andyjb · 2013-11-05 05:27 · Score: 3, Interesting
  
  They are resposible - if they have been deemed to be in breach of PCI compliance, they will not be granted "safe harbour" by their issuing bank / {AMEX, Visa, MC}. In a nutshell it means that they will find it more expensive to do business from now on. It does often happen however that a business will decide that being PCI compliant is more expensive than the fines...
3. Re:Hold Them Responsible by Thanshin · 2013-11-05 05:33 · Score: 1
  
  When are corporations going to be held responsible for the security of their customers' information?
  Just as soon as we stop referring to "corporations" as if they were people?
4. Re:Hold Them Responsible by Sarten-X · 2013-11-05 05:35 · Score: 2
  
  When are residents going to be held responsible for the security of their valuables?
  If things like cash and jewelery are stored behind unlocked doors, the households storing them should be fined and the people responsible for the storage prosecuted if there is a theft. It's just gross irresponsibility, for which nobody has seemed to get punished.
  That needs to change.
  I'm exaggerating a little, but this is really how the law works now. The criminal responsibility falls to the guy who thought "I'm going to violate this obvious demarcation line and grab whatever I want", rather than the guy who thinks "That barely-visible boundary should be obvious enough". The concept applies broadly, affecting harassment, copyright, theft, injury, and discrimination suits, just to name a few. While there is some consideration given to whether the victim should have taken more reasonable precaution, being careless is not a crime in itself.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
5. Re:Hold Them Responsible by Anonymous Coward · 2013-11-05 05:42 · Score: 0
  
  Being careless can be crime in many circumstances.
6. Re:Hold Them Responsible by Anonymous Coward · 2013-11-05 05:52 · Score: 0
  
  While there is some consideration given to whether the victim should have taken more reasonable precaution, being careless is not a crime in itself.
  Not necessarily a crime but when you handle the property of someone else you have a responsibility to keep it safe and have to compensate the person if you don't.
  If you rent a car and the car is stolen you will likely have to pay a fine.
  Borrowing your friends bike and it gets stolen, well, you can ignore your friend if you are a complete dick but anyone else would offer some sort of compensation.
7. Re:Hold Them Responsible by Sarten-X · 2013-11-05 05:54 · Score: 1
  
  If you let carelessness run amok to the point of negligence, yes... but the circumstances for negligence must be defined in law. There is no such law for information security, outside a few particular areas (financial institutions, health care, and military).
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
8. Re:Hold Them Responsible by sl4shd0rk · 2013-11-05 06:02 · Score: 1
  
  When are corporations going to be held responsible for the security of their customers' information?
  
  It used to be that companies really feared being out of compliance with PCI standards but things must have changed. I don't know for certain but if I had to venture a guess, companies probably find it more appealing to take chances being non-compliant rather than invest in appropriate infrastructure (including competent staff) to support full PCI compliance .
  It's *extremely* difficult to sell proper security to management based on potentials. They want numbers to plug into their spreadsheets to measure cost vs. benefit but when you are working with a gradient like a compromise those numbers fall anywhere from 0 to infinity depending on the depth of the compromise (think Stuxnet) and what assets are at risk (adobe Photoshop source code). For those reasons, many companies only implement the bare minimum and hope for the best.
  
  --
  Join the Slashcott! Feb 10 thru Feb 17!
9. Re:Hold Them Responsible by TheNastyInThePasty · 2013-11-05 06:06 · Score: 5, Insightful
  
  Having YOUR stuff stolen kind of is the fine. Your anology doesn't work because in this case, it's not the company's information that was stolen. It was their customers. A bank is a closer analogy but even that doesn't work. I'm pretty sure the bank will compensate you if the contents of your security box is stolen due to their poor security practices.
  With this company and the recent Adobe breach, there's no compensation for their customers who had their data stolen. The company gets to just go "Well shucks, I'm sorry guys." Meanwhile, their customers have been exposed to possible identity theft or fraud and they're the ones who have to deal with the consequences.
  A couple of years ago, my social security number was stolen from a local university that I took a summer class at. My parents then subscribed to one of those identity theft protection services. Were we ever compensated for the service fees needed to protect my identity? Nope. Would I have been compensated if someone stole my identity and destroyed my credit for life? Nope.
  That's the problem.
  
  --
  The best thing about UDP jokes is I don't care if you get them or not
10. Re:Hold Them Responsible by Deadstick · 2013-11-05 06:12 · Score: 5, Funny
  
  I'll believe they're people when Texas executes one.
11. Re:Hold Them Responsible by CODiNE · 2013-11-05 08:37 · Score: 1
  
  Oh yeah for years the community college I went to would use SSN for student IDs. They'd pass around an "anonymized" roll sheet where everyone would sign next to their SSN. At the end of the semester your grades would be posted next to your SSN instead of your name.
  Idiots.
  
  --
  Cwm, fjord-bank glyphs vext quiz
12. Re:Hold Them Responsible by Sarten-X · 2013-11-05 08:47 · Score: 1
  
  I'm not saying it makes sense for a company to be unaccountable, but only that that's the way the law is set up now. There's a pretty strong fear of blaming the victim in legislature, so I doubt we'll see any such laws crop up soon. Legally, it's the same as a gym's locker room that says "not responsible for lost or stolen items". The law just doesn't make them responsible.
  You do bring up an interesting point... why does a university need your federal retirement savings account number?
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
13. Re:Hold Them Responsible by cheater512 · 2013-11-05 09:09 · Score: 1
  
  Every credit card related info leak is in breach of PCI compliance.
  Even if they got audited just a week previously and passed with flying colours.....
14. Re:Hold Them Responsible by Gr8Apes · 2013-11-05 10:42 · Score: 1
  
  I'll believe they're people when Texas executes one.
  I guess Texas did
  
  --
  The cesspool just got a check and balance.
15. Re:Hold Them Responsible by Jane+Q.+Public · 2013-11-05 10:43 · Score: 1
  
  "Just as soon as we stop referring to "corporations" as if they were people?"
  Corporations can be held legally responsible for their actions. Hell, that's one of the reasons corporations were invented.
16. Re:Hold Them Responsible by Anonymous Coward · 2013-11-05 12:24 · Score: 0
  
  They CAN but typically AREN'T. In the few instances they are held accountable it ususally involves a slap on the wrist fine compared to the money they made on the data that was lost.
17. Re:Hold Them Responsible by TheNastyInThePasty · 2013-11-05 15:00 · Score: 1
  
  My point is that they're not really the victim. Their customers are. The businesses are the conduit. They are the means by which the attacker is able to cause you damage. Framed that way, it becomes clearer that they deserve consequences for their failure.
  
  --
  The best thing about UDP jokes is I don't care if you get them or not
18. Re:Hold Them Responsible by Anonymous Coward · 2013-11-05 15:55 · Score: 0
  
  Unless you work there, a university should not have your SSN.
  Look into FERPA regulations. This is a HUGE thing to have happened and I believe you have recourse.
850K by pr0t0 · 2013-11-05 05:26 · Score: 1, Interesting

Also known as a list of 850,000 people making a hell of a lot more than I do.

--
I'm sorry, but your opinion seems to be wrong.
St Louis in the House!!!! by turp182 · 2013-11-05 05:26 · Score: 3, Funny

Hey, I have to take every chance I get to promote my hometown, and that's where this company is based.
A coworker for mine knows someone that used to work for the company, it sounds like they used a custom (homebrew) encryption scheme for the passwords. This could be incorrect, the guy hasn't worked there in a couple of years.
Anyway, we didn't win the World Series, but apparently we can give you Tom Hanks credit card info...

--
BlameBillCosby.com
1. Re:St Louis in the House!!!! by HornWumpus · 2013-11-05 05:56 · Score: 1
  
  East St Louis is the best St Louis.
  That's a slight exaggeration. But St Louis really is a shithole.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
2. Re:St Louis in the House!!!! by turp182 · 2013-11-05 11:26 · Score: 1
  
  I'm assuming you were trying to be offensive, but no offense taken. STL is a good "live in" city, better than So Cal (where your 2nd job is sitting in traffic and the state/federal officials seem to be... out of touch with reality - watch out for cancer!!!). Better than Phoenix as well (summer sucks and I prefer "character" rather than a 15 square mile suburb). Same for Vegas on the suburb. All are nice for visiting, but not for living, unless you have millions to spend/waste. Washington state is probably nicer...
  I live in a walkable neighborhood (food, drinks, entertainment, groceries, frozen yogurt) in a house that was built in 1885. Built to last, which time has proven. I do commute to the boring suburbs for work, such is reality (against traffic). Soulard is my home.
  East St. Louis is hell, that is for sure. But where I'm at I can walk a couple of minutes and get almost any type of food and listen to bands from Ireland almost any night of the week (McGurk's - fantastic).
  And it's where my family is. Which is important, having kids (people who like to take the kids over the weekend - coming up this weekend in fact).
  It's also a very good market for software developers, it's a job seeker's market right now.
  Why did I type so much...
  
  --
  BlameBillCosby.com
We are a limo company not an IT one the outsourcer by Joe_Dragon · 2013-11-05 05:28 · Score: 1

The outsource is the one who messed up.
and use adobe PDF reader by Joe_Dragon · 2013-11-05 05:33 · Score: 1

that just auto hacks your system when some opens an PDF loaded with hacker tools in it.
not THAT rich by cellocgw · 2013-11-05 05:43 · Score: 1

Pffft... if they were really rich, they'd have their own fulltime bonded limo drivers on staff. Before you laugh, remember that the suckily rich own huge yachts which have a permanent crew whose only job is to make sure the yacht shows up at whatever port the owner wants his next party to be at.

--
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
1. Re:not THAT rich by swb · 2013-11-05 06:15 · Score: 2
  
  "...at whatever port the owner wants.." is kind of a small list of boats.
  Just moving even a smallish yacht (75 feet or so) ocean distances is really expensive and/or really slow. Sport yachts capable of 20+ knots cruising speeds can eat double-digit quantities of fuel per hour. Moving from Miami to NYC could take days and tens of thousands of dollars in fuel and most don't have the fuel capacity for major blue ocean transits. Trawler styles use less fuel, but have cruising speeds in the single digits.
  I think even most million-dollar class yachts that are crewed aren't crewed by permanent crews but are crewed as needed when the owner wants to use them, maybe with a preferred captain and generally don't move ports but may move to alternate berthings with the general vicinity, but even then you can't just show up with a big boat and expect to find a berthing for it.
  Of course there are ocean-going ships permanently crewed, but this is a pretty small list because now you're talking really large boats that are ships with operating costs on par or exceeding large jets.
2. Re:not THAT rich by rickb928 · 2013-11-05 07:11 · Score: 1
  
  The rich use their yachts primarily as vacation homes. And they rent them out to defray the costs. Or lend them out to impress their buddies.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
Nobody Seems To Notice and Nobody Seems To Care by Anonymous Coward · 2013-11-05 05:46 · Score: -1

** PLEASE COPY AND SHARE THIS ARTICLE **
** ESPECIALLY ON THE #BADBIOS - BADBIOS - bad bios - DISCUSSION WHICH MAY HAVE STATE ACTORS SAYING IT IS BUNK **
Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware
"In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms
How many rootkits does the US[2] use officially or unofficially?
How much of the free but proprietary software in the US spies on you?
Which software would that be?
Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.
How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?
If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?
I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:
APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.
Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.
The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.
Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.
Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not
IS KEVIN BACON IN ANY DANGER ?? ANY AT ALL ?? by Anonymous Coward · 2013-11-05 05:49 · Score: -1

Because that would truly be a tragic turn for the lesbian !!
Re: Nobody Seems To Notice and Nobody Seems To Car by Anonymous Coward · 2013-11-05 05:55 · Score: 0

Damn, that is the longest post I have ever seen.
Prostitution / Mistress Detection by arthurpaliden · 2013-11-05 05:59 · Score: 2

Ok now all one has to do is to find out what the most common destinations, other than their homes, were and there you have who possibly uses prostitutes or have mistresses.

--
Undetectable Steganography? Yep, there's an app fo
Limos != yachts by Anonymous Coward · 2013-11-05 06:27 · Score: 0

I wouldn't be so sure about that.
The rich don't need to use a yacht everyday so there's time to move the yacht to where it needs to go, but you need a car everyday.
Rich people fly around a lot more, and planes travel faster than cars so if you want a car to be there when you land, you'll need to have multiple cars distributed geographically, and with it comes extra cost in logistics
The really rich may do that for the places they frequent a lot, but I think they do travel to a lot of other places where it's better to just rent as you go.
1. Re:Limos != yachts by uncqual · 2013-11-05 07:11 · Score: 2
  
  Or, just fly your cars (multiple needed for backup and for security details) in your second 747. Poor folks may have to cram the cars into the cargo hold on their primary (and only) 747 -- but that's pretty low class and only trailer trash would consider it.
  
  --
  Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
Re: Nobody Seems To Notice and Nobody Seems To Car by globalist · 2013-11-05 06:38 · Score: 1

You must be new here, right?
Uncle Leo? by peter.kingsbury · 2013-11-05 06:48 · Score: 1

Is that you?
850,000 Limo Riders? by edibobb · 2013-11-05 11:54 · Score: 2

There are sure a lot of people who ride in limousines.
Cricket by shimul1990 · 2013-11-05 16:17 · Score: 1

Cricket is now a days a very popular & interesting game all over the world.
Re:We are a limo company not an IT one the outsour by Anonymous Coward · 2013-11-08 20:29 · Score: 0

Get what you pay for, I guess.
Lobra by Anonymous Coward · 2013-11-09 09:42 · Score: 0

1 kamer canon 1 duks me kanabis