Best Buy Warns of Data Breach

Best Buy, along with Delta Air Lines and Sears, says that [24]7.ai, a company that provides the technology backing its chat services, was hacked between September 27 and October 12, potentially jeopardizing the personal payment details of "a number of Best Buy customers." The electronics company said in a statement that "as best we can tell, only a small fraction of our overall online customer population could have been caught up in this... incident whether or not they used the chat function." They will reach out to customers who were impacted.

This is routine

[silverkniveshotmail.]

I'm not surprised or outraged anymore. On the bright side, credit monitoring is basically free for everyone forever.

Re: This is routine

Technically credit reports have always been shared with Pajit and Kumar somewhere in a shitty jungle call center.

Re:This is routine

This is <Credit Monitoring Service>,

  We regret to inform you that your identity was compromised at <Company Name> and we have begun our efforts to protect your credit.

As always we thank you for being a valued customer of <Credit Monitoring Service>.

Regards,

<CEO Name and Signature>

Of course once you realize that there is nothing to be gained from this relationship, as they can't prevent this from reoccuring, and it's actually yet another point of compromise for you, you start wondering why this crap isn't dealt with. Then you realize you've sold your digital soul to abunch of green-eyed marketing agents and start wishing you could put the genie back in the bottle. Finally you pucker up and bend over because short of a march on D.C. you won't get any real fix because everyone but you, that matters, is getting rich off of it.

Damn it, time for a law with teeth

This is BS. I work for the gov and can't get any IT installed without going through a long RMF process and have it continuously scanned for vulnerabilities. Any found require an immediate patch or approved mitigation. If no patch or mitigation, it needs to go away.

These companies that can't seem to do the same should suffer the death sentence when they are breached and customer data is stolen. That data should be behind multiple firewalls and a secure enclave with no direct access. Use tokens outside the enclave to represent customers. There is no way in hell a 3rd party contractor should have any direct access to the raw data.

I'm sure Best Buy will shrug this off with a token one year credit monitoring offer. Right now I have so many companies monitoring my credit for free I can't keep track of them all. Threaten their executive level officers and board members with jail and I bet they get damn serious about security.

Re: Damn it, time for a law with teeth

the data breach is much older, and by design.

why would credit card details be shared with a live chat vendor? specially clients that never used chat?

this sounds like they were caught in a payment processing offence and decided to "blame the hackers"

outsource to the lowest cost provider

and this is what happens. what else did you expect.. especially where customer data and credit cards are handled...hire a competent staff and do the shit yourself.

ohh? that costs more money than your current method? well, your current method is fucked up and doesn't work. quit being greedy fucks, pay your staff competitively (while not overpaying your executives). hire locally (i.e. domestically), not imports from beyond the oceans.

all this outsourcing is like just trying to pass-the-buck 'just in case' something (like this) happens.. each of the retailers can say "not our fault" and point the finger-of-blame elsewhere.

There is a simple solution

For in-store purchase, CASH!!!

Re:There is a simple solution

For in-store purchase, CASH!!!

Mod parent up!!!!!

Re:There is a simple solution

[tlhIngan]

For in-store purchase, CASH!!!

Except it wasn't in-store purchases that were hacked. It was online purchases - the chat software was a SaaS package Best Buy, Sears, etc. all used that got hacked.

It's not about Point of Sale machines being hacked (this time), but how one company has software used by lots of other companies got hacked. Closest example would be bad ads being served up, except instead of the site hosting the ad, it was a piece of utility software instead.

Monotonous!

[mschaffer]

Let me know when someone hasn't been breached.
The real news is that nothing important is being done about it.
Nobody gets punished. Nothing happens except waiting for the next one.

Re: Monotonous!

[ArmoredDragon]

Hmm...no. I know for a fact that they're going to get fined by PCI. PCI-DSS is in many ways like HIPAA: It gives vague details about how your network and servers should be secured, (for example it says networks should be "segmented" with no clarification at all if vlans suffice) and basically "do your best". If payment details get leaked, then guess what? You didn't do enough to secure your network, so have a fine.

Though PCI also has a reputation of being in the business of fining anyone who processes credit cards. If they don't have a reason to fine you, then they might create one by saying you weren't following one of their vague rules, even if there hasn't been a data breach. This is why a lot of businesses prefer to use a company like square to process the payment data. Best buy isn't one of those, however, because they store their own credit card data.

Why?

[srichard25]

Why would technology backing chat need any access to payment information?

Re:Why?

The same machines probably have access to the payment systems so that the chat customer service rep can actually do useful work for customers :p

Re: Why?

It runs as java script on the browser and sends any button clicks and form data to the âoeanalyticsâ channel in the âoechatâ company

Re:Why?

[tlhIngan]

Why would technology backing chat need any access to payment information?

The problem was the chat software was hacked. So when you try to check out and enter your payment information, that little box that pops up asking if you need support then snarfs the data from the web page.

Basically, all these companies use a SaaS package from a company who was breached. That breach caused the software used to get the ability to steal information. It's less about Best Buy et al. storing the payment information, and more of a rogue script in a SaaS package they use grabbing the data in flight.

There's probably way more companies who are going to find out they were customers of [24]7 as well.

Oof!

"All 6 people who still shop at Best Buy were affected by the breach."

How to keep your information from being compromise

[Hallux-F-Sinister]

Donâ(TM)t ever tell your personal information to anyone. Thatâ(TM)s the closest way you can come to protecting it. Itâ(TM)s just the reality today, and itâ(TM)s why we canâ(TM)t have nice things. Itâ(TM)s too late for me, as everyone on the dark web knows everything about me... I may have to give up all my stuff, and learn how to speak Amish.

Data breaches are like old, rusty cars.

It's always worse than you first think.

Anyone who has restored an old car knows this.

Don't let them keep or store your info..

Don't let them have your payment info??

Who ya gonna call to clean up a mess like this?

[SpzToid]

Geek Squad!

The FBI paid Best Buy Geek Squad employees as informants, rewarding them for flagging indecent material when people brought their computers in for repair.

Re:How to keep your information from being comprom

[Ol+Olsoc]

I may have to give up all my stuff, and learn how to speak Amish.

It's similar to English Canadian. Now let's get you a name - Caleb has a nice ring.

But it isn't all bad, if google searches for "Amish Porn" are any indication.

TRANSLATION

[JustAnotherOldGuy]

"as best we can tell, only a small fraction of our overall online customer population could have been caught up in this... incident"

Lol, "as best we can tell"

TRANSLATION: "They got all your data, every bit of it, but we're going to reveal this in a series of press releases in order to desensitize you to the scope of the loss."

hardly a punishment

PCI fines are usually very small. For example, TJ Maxx only paid $500k. This is small potatoes when compared to what their earnings are.

Re:hardly a punishment

They are also paid to the government, not the victims.

Key Shadowing

As long as key management systems exist this will only keep happening! Quantum computing is around the corner. The only tech that can help this situation is www.keyshadowing.com if it's about risk management then why do we still store keys sitting there waiting to be lost, or stolen. Get rid of it that way it eliminates that risk. Also, that tech is the only tech in the world Quantum immune.