Tea Chain Teavana Possibly Hit by Data Breach

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.technewsdaily.com/17842-teavana-possible-breach.html

Customers of the popular tea-shop chain Teavana may be at risk of
financial fraud and identity theft, according to a well-known security
blogger.

Independent security blogger Brian Krebssaid yesterday (April 22) that
he had received multiple reports of a data breach on the company's
servers.

Krebs' sources told him customer information, including credit and
debit card details, may have been exposed and accessed by someone
without authorization.

A spokeswoman for Starbucks, which acquired Teavana last year, told
TechNewsDaily that the company could not comment on "any ongoing
investigation," adding that such matters were often encountered during
"the normal course of business."

Atlanta-based Teavana operates nearly 300 company-owned stores in the
United States and Canada, and has franchise partners in Mexico and
Kuwait.

Krebs said an anonymous reader tipped him off to the possible Teavana
breach, which was later seconded by a contact at a major credit-card
issuer.

The credit-card source said increasing fraud rates for cards recently
used at Teavana was a strong indicator that the company's systems
nationwide had been compromised.

It's not clear how many customers might be affected, but a source at a
different credit-card issuer told Krebs that in early March his
company had detected a pattern of cloned cards being used to purchase
high-value gift cards at Target retail stores.

Upon further investigation, the card issuer found that cards used as
early as the fall of 2012 may have been cloned and used fraudulently.

"It went from like nothing to 200 counterfeits in one week," Krebs' source said.

The same source told Krebs that the use of cloned cards strongly
indicated that criminals had placed malicious software onto
point-of-sale machines in order to steal the data stored on cards'
magnetic strips.

The seriousness of the case prompted federal law enforcement to launch
an investigation into the Teavana breach and subsequent financial
fraud.

Data breaches along these lines are dangerous and costly, but they're
nothing new. Just this month, Midwestern grocery chain Schnucks told
its customers that a data breach had left the information for 2.4
million credit cards exposed to cybercriminals.

While there's no way a customer can tell whether a point-of-sale
machine is infected with malware, customers should keep an eye out for
physical "skimmers" attached to legitimate machines or held by
unscrupulous cashiers.

Card holders can protect themselves from financial fraud by regularly
keeping track of their finances, and to arrange with their card
issuers so that they are notified if something seems abnormal or the
outstanding balance reaches a certain level.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.