Madison Square Garden, Radio City Music Hall BreachedCardholder Data Was Stolen For Nearly a Year Before Discovered
Cybercriminals broke into the payment card processing system used by the Madison Square Garden Co., owner of Radio City Music Hall and other iconic entertainment venues, harvesting payment card details for nearly a year.
The company was notified after banks noticed transaction patterns that indicated a possible fraud concern. An investigation last month found malware that looked for payment card information as it was routed through the system for authorization.
"The program was designed to find data read from the magnetic stripe of a payment card - data that may contain the card number, cardholder name, expiration dates and internal verification code," according to a notice on MSG's website.
MSG says it stopped the intrusion in late October with the assistance of security firms and put in place enhanced security measures. Law enforcement has been notified, the company says.
MSG didn't estimate the number of cards affected. The attack targeted cards that had been used to purchase food, beverages and other merchandise between Nov. 9, 2015, and Oct. 24, 2016, at Madison Square Garden, Radio City Music Hall, Beacon Theater, the Theater at Madison Square Garden as well as the Chicago Theater.
Not all cards used at those locations were affected, MSG says, and the breach didn't affect other purchasing systems. "This incident did not involve cards used on MSG websites, at the venues' box office or on Ticketmaster," the company notes.
Payment card breach notifications such as this one occur with regularity despite well-publicized breaches of major retailers including Target and Home Depot over the past few years (see Malware: Examining the Home Depot Breach).
In July, fast-food chain Wendy's said 1,025 U.S. restaurants owned by franchisees discovered that malware had been installed on their point-of-sale systems. Like other breaches, the cybercriminals likely used access credentials from other service providers who had access to Wendy's systems, which allow for the deployment of malware (see Wendy's Hackers Took a Bite Out of 1,000+ Restaurants).
For more than a decade, the payment card industry has pushed compliance with the Payment Card Industry Data Security Standards to better secure cardholder data and processing systems. But even if retailers follow the guidelines, it's no guarantee against a breach.
PCI-DSS is complicated, and a seemingly innocuous change to payment processing infrastructure can open up weaknesses to attackers. Plus, anti-virus software does not always catch specially crafted malicious software.
Last October, the payment card industry imposed liability on U.S. retailers that do not have compatible equipment to process cards with a microchip that provides stronger security. These so-called EMV cards make stolen card data more difficult to use (see Merchants Ask Court for Relief from EMV Liability Shift).
If criminals try to clone a payment card by copying stolen data, the network should recognize the card doesn't have the microchip and deny the in-person transaction. But the stolen data could still be used for card-not-present transactions. Regions where payment cards have microchips have typically seen that type of fraud rise.
Once stolen, the card details are sold on underground forums. Other fraudsters purchase the details based on the estimated value of the card. So much payment card data is stolen that the sale value of the cards can be low. Fresh influxes of newly stolen cards is needed, however, as banks move to cancel cards that have been used for fraud or are at high risk.