Limo Company Hack Exposes Juicy Targets, 850k Credit Card Numbers

tsu doh nimh writes "A compromise at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities. Krebsonsecurity.com writes about the break-in, which involved the theft of information on celebrities like Tom Hanks and LeBron James, as well as lawmakers such as the chairman of the U.S. House Judiciary Committee. The story also examines the potential value of this database for spies, drawing a connection between recent personalized malware attacks against Kevin Mandia, the CEO of incident response firm Mandiant. In an interview last month with Foreign Policy magazine, Mandia described receiving spear phishing attacks that spoofed receipts for recent limo rides; according to Krebs, the info for Mandia and two other Mandiant employees was in the stolen limo company database."

A-List Spear Phishing

[ponraul]

That's hot.

Re:

[Anonymous Coward]

Too bad Brian Krebs is always raining on our parade.

and use adobe PDF reader

[Joe_Dragon]

that just auto hacks your system when some opens an PDF loaded with hacker tools in it.

Good

[Anonymous Coward]

Exposing the personal information of 30 million people wouldn't bother those in power. But those in power having their information hacked? Finally, we may see some protection of data--at least for those in power.

Hold Them Responsible

[Jane Q. Public]

When are corporations going to be held responsible for the security of their customers' information?

If things like credit card information are stored in cleartext, the corporation doing it should be fined and the people responsible prosecuted if there is a leak. It's just gross irresponsibility, for which nobody has seemed to get punished.

That needs to change.

Re:

[Anonymous Coward]

When are corporations going to be held responsible for the security of their customers' information?

Probably now since this actually targets someone in charge.

The problem is that the "fix" will be to only hold corporations responsible if someone "important" is hurt.

Re:

[andyjb]

They are resposible - if they have been deemed to be in breach of PCI compliance, they will not be granted "safe harbour" by their issuing bank / {AMEX, Visa, MC}. In a nutshell it means that they will find it more expensive to do business from now on. It does often happen however that a business will decide that being PCI compliant is more expensive than the fines...

Re:

[cheater512]

Every credit card related info leak is in breach of PCI compliance.
Even if they got audited just a week previously and passed with flying colours.....

We are a limo company not an IT one the outsourcer

[Joe_Dragon]

The outsource is the one who messed up.

Re:

[Thanshin]

When are corporations going to be held responsible for the security of their customers' information?

Just as soon as we stop referring to "corporations" as if they were people?

Re:Hold Them Responsible

[Deadstick]

I'll believe they're people when Texas executes one.

Re:

[Gr8Apes]

I'll believe they're people when Texas executes one.

I guess Texas [idownloadblog.com] did [techdirt.com]

Re:

[Jane Q. Public]

"Just as soon as we stop referring to "corporations" as if they were people?"

Corporations can be held legally responsible for their actions. Hell, that's one of the reasons corporations were invented.

Re:

[Sarten-X]

When are residents going to be held responsible for the security of their valuables?

If things like cash and jewelery are stored behind unlocked doors, the households storing them should be fined and the people responsible for the storage prosecuted if there is a theft. It's just gross irresponsibility, for which nobody has seemed to get punished.

That needs to change.

I'm exaggerating a little, but this is really how the law works now. The criminal responsibility falls to the guy who thought "I'm going to vio

Re:

[Sarten-X]

If you let carelessness run amok to the point of negligence, yes... but the circumstances for negligence must be defined in law. There is no such law for information security, outside a few particular areas (financial institutions, health care, and military).

Re:Hold Them Responsible

[TheNastyInThePasty]

Having YOUR stuff stolen kind of is the fine. Your anology doesn't work because in this case, it's not the company's information that was stolen. It was their customers. A bank is a closer analogy but even that doesn't work. I'm pretty sure the bank will compensate you if the contents of your security box is stolen due to their poor security practices.

With this company and the recent Adobe breach, there's no compensation for their customers who had their data stolen. The company gets to just go "Well shucks, I'm sorry guys." Meanwhile, their customers have been exposed to possible identity theft or fraud and they're the ones who have to deal with the consequences.

A couple of years ago, my social security number was stolen from a local university that I took a summer class at. My parents then subscribed to one of those identity theft protection services. Were we ever compensated for the service fees needed to protect my identity? Nope. Would I have been compensated if someone stole my identity and destroyed my credit for life? Nope.

That's the problem.

Re:

[CODiNE]

Oh yeah for years the community college I went to would use SSN for student IDs. They'd pass around an "anonymized" roll sheet where everyone would sign next to their SSN. At the end of the semester your grades would be posted next to your SSN instead of your name.

Idiots.

Re:

[Sarten-X]

I'm not saying it makes sense for a company to be unaccountable, but only that that's the way the law is set up now. There's a pretty strong fear of blaming the victim in legislature, so I doubt we'll see any such laws crop up soon. Legally, it's the same as a gym's locker room that says "not responsible for lost or stolen items". The law just doesn't make them responsible.

You do bring up an interesting point... why does a university need your federal retirement savings account number?

Re:

[TheNastyInThePasty]

My point is that they're not really the victim. Their customers are. The businesses are the conduit. They are the means by which the attacker is able to cause you damage. Framed that way, it becomes clearer that they deserve consequences for their failure.

Re:

[sl4shd0rk]

When are corporations going to be held responsible for the security of their customers' information?

It used to be that companies really feared being out of compliance with PCI standards [pcisecuritystandards.org] but things must have changed. I don't know for certain but if I had to venture a guess, companies probably find it more appealing to take chances being non-compliant rather than invest in appropriate infrastructure (including competent staff) to support full PCI compliance .

It's *extremely* difficult to sell proper security to management based on potentials. They want numbers to plug into their spreadsheets to measure cost

850K

[pr0t0]

Also known as a list of 850,000 people making a hell of a lot more than I do.

St Louis in the House!!!!

[turp182]

Hey, I have to take every chance I get to promote my hometown, and that's where this company is based.

A coworker for mine knows someone that used to work for the company, it sounds like they used a custom (homebrew) encryption scheme for the passwords. This could be incorrect, the guy hasn't worked there in a couple of years.

Anyway, we didn't win the World Series, but apparently we can give you Tom Hanks credit card info...

Re:

[HornWumpus]

East St Louis is the best St Louis.

That's a slight exaggeration. But St Louis really is a shithole.

Re:

[turp182]

I'm assuming you were trying to be offensive, but no offense taken. STL is a good "live in" city, better than So Cal (where your 2nd job is sitting in traffic and the state/federal officials seem to be... out of touch with reality - watch out for cancer!!!). Better than Phoenix as well (summer sucks and I prefer "character" rather than a 15 square mile suburb). Same for Vegas on the suburb. All are nice for visiting, but not for living, unless you have millions to spend/waste. Washington state is proba

not THAT rich

[cellocgw]

Pffft... if they were really rich, they'd have their own fulltime bonded limo drivers on staff. Before you laugh, remember that the suckily rich own huge yachts which have a permanent crew whose only job is to make sure the yacht shows up at whatever port the owner wants his next party to be at.

Re:

[swb]

"...at whatever port the owner wants.." is kind of a small list of boats.

Just moving even a smallish yacht (75 feet or so) ocean distances is really expensive and/or really slow. Sport yachts capable of 20+ knots cruising speeds can eat double-digit quantities of fuel per hour. Moving from Miami to NYC could take days and tens of thousands of dollars in fuel and most don't have the fuel capacity for major blue ocean transits. Trawler styles use less fuel, but have cruising speeds in the single digits.

I th

Re:

[rickb928]

The rich use their yachts primarily as vacation homes. And they rent them out to defray the costs. Or lend them out to impress their buddies.

Re:

[uncqual]

Or, just fly your cars (multiple needed for backup and for security details) in your second 747. Poor folks may have to cram the cars into the cargo hold on their primary (and only) 747 -- but that's pretty low class and only trailer trash would consider it.

Re:

[globalist]

You must be new here, right?

Uncle Leo?

[Peter Kingsbury]

Is that you?

Prostitution / Mistress Detection

[arthurpaliden]

Ok now all one has to do is to find out what the most common destinations, other than their homes, were and there you have who possibly uses prostitutes or have mistresses.

850,000 Limo Riders?

[edibobb]

There are sure a lot of people who ride in limousines.

Cricket

[shimul1990]

Cricket is now a days a very popular & interesting game all over the world.