Seattle Fraud Spree: Case Grows

Foreign Hacker Suspected in Restaurant Data Breach
Seattle Fraud Spree: Case Grows
Federal authorities now say the recent Seattle cyber attack was a much bigger crime than first believed. A U.S. Secret Service agent says more than 1,000 credit and debit cards may have been compromised.

The attack happened in late October, and the forensic trail leads overseas, officials say. Card data was stolen on Oct. 22 in a one-day attack by what authorities say for now was one hacker. The Seattle Capitol Hill area restaurant, Broadway Grill, appears to be ground zero for the attack. Secret Service agent Bob Kierstead of the Seattle Electronic Crimes Task Force says the overseas hacker who was able to access the network through Broadway Grill's system appears to have been able to leapfrog from the restaurant's access to a critical server in the transaction process, where account information was available.

The scheme appears to involve the sale or distribution of the stolen account information to numerous individuals across the country, as well as in foreign countries. Those individuals then used the information to make purchases against the consumer accounts. Authorities early in the investigation speculated that an organized crime group was involved.

Broadway Grill says it began cooperating with authorities immediately after the hack was discovered. It has since beefed up security around its payment network computer system.

The Secret Service says it is close to identifying the alleged perpetrator, but declines to name the country of origin, saying that revelation could compromise the agency's investigation. The agency says it is looking into possible links between the Capitol Hill fraud spree and another recent cybercrime wave in an unidentified northwest community.

Local institutions have aided the investigation, including the fraud response team at Boeing Employees Credit Union, an $8.6 billion institution based in Washington. According to John Snodgrass, security risk manager at BECU, the fraudulent charges on their members' cards were spotted immediately by the credit union's fraud-monitoring system, and information was quickly turned over to authorities to help pinpoint where the criminals were collecting card data.

Integrated Security Standards

Tom Wills, a fraud analyst with Javelin Strategy & Research, says the Capitol Hill hack reveals weaknesses posed by non-integrated systems in the payments chain.

Global standards that bring together all players in the payments supply chain -- including card companies, financial institutions, processors and merchants -- are the only ways the industry can ensure security, he says. Even global adoption of the EMV chip standard would not have prevented hackers from collecting card numbers in this type of attack, Wills says.

"They are exploiting what I call the 'silo syndrome' -- the fact that different parts of the payment system are secured as individual components, but there's no integrated security across the system," he says. "If the POS system can be easily broken into, it leaves a security hole for hackers to exploit, and this is just what happened in the Seattle incident."

Wills says the only effective way to secure the payments chain will come from the development of global standards for end-to-end encryption and security. "These standards would have to be jointly owned and be realistic, in terms of economic cost and benefit to each of the parties," he says. "This isn't anywhere on the horizon -- it's not PCI -- and even if it was, it would be a slow, expensive and highly political process."

Managing Editor Tracy Kitten contributed to this report.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.