More than 800 members of the engineering society IEEE received letters informing them their credit card numbers had been stolen, after they'd registered for a conference.
The Institute
of Electrical and Electronics Engineers has notified more than 800 of its
members that their credit card and other personal information were stolen from
a member database.
The
engineering society acknowledged the Nov. 17 breach to the New
Hampshire attorney general on Feb. 24. Attackers may have obtained
access to credit card information and the associated names for approximately 828
IEEE members, according to a letter IEEE sent to members.
The November
hack was described in the letter as a "sophisticated network intrusion" by a
third-party. The draft form of the letter was sent to the New Hampshire
attorney general's office.
The IEEE
discovered the breach and reported it to the FBI in December, according to the
letter. A team of forensic investigators identified which data were missing on
Feb. 10. The team also found and fixed security vulnerabilities that allowed
the attackers to penetrate the system, Nathaniel Akerman of law firm Dorsey and
Whitney wrote in the letter.
With over
400,000 members globally, IEEE claims on its Website to being the "world's
largest technical professional society." Members work in varied fields such as
aerospace, information technology, nuclear engineering, robotics and
manufacturing.
According to
the letter, only one of the affected members was a New Hampshire resident, but
New Hampshire's mandatory breach-notification laws requires organizations to
report all breaches to the attorney general's office if it involves any of the
state's residents. There are similar laws in over 38 states.
Maryland's
attorney general's office has also been notified. The office declined to say
how many affected members were Maryland residents.
The IEEE had
obtained credit card information for members when they had registered for an
IEEE conference, the letter sent to affected members said. According to the letter,
it appears that the card identification number (also known as CSC, CVC and CID
numbers), the three-digit code usually found on the back of the card, was also
among the information stolen. The stolen information included the credit card
number, cardholder name, expiration data and the CID code.
This raises
some questions about IEEE's data storage procedures. Storing the CID is a
violation of the PCI DSS (Payment Card Industry Data Security Standard), under
PCI DSS Requirement 3.2.2 as listed on the PCI
Security Standards Council Website.
The actual credit
card number is also supposed to be stored as an encrypted value, such as a
strong one-way hash or using strong cryptography, mandated by PCI DSS 3.4
requirement. It's not clear at this time how IEEE stored the credit card
numbers, but the CID information should not have been stored in the first
place. Most organizations tend to ask for the code and use it for validating
the transaction, but they do not save it in their systems.
IEEE
encouraged members to check their credit card statements carefully, cancel
current cards and check their credit information. IEEE also offered a one-year subscription
to LifeLock credit-monitoring service.
It also
remains unclear whether the attackers just hit IEEE looking for credit card
information and other personal information, or if there was another motive.
Many IEEE members work in sensitive industries and organizations.
Email
Print
