Breaches Infest C-Stores, Gas Stations: Study
Convenience store and gas station chains appear to be most susceptible to data breaches, according to a study from the Richmond, Va.-based Risk Based Security, “Data Breach QuickView: 2015 Data Breach Trends.”
In terms of which businesses endured multiple data security breaches, six of the study’s Top 12 Repeat Offenders were oil companies and conveniences stores, with Shell Oil ranking the highest followed by 7-Eleven. Shell saw 14 data breaches while 7-Eleven tied with Bank of America at 13 each.
Circle K (10 breaches), ExxonMobil (seven), Sunoco (six) and Marathon Petroleum Corporation (five) followed. Completing the top 12 list, which also included government agencies, were the Derby City Council with eight data breaches, U.S. Department of Veterans with six, and the United States government, Uber and Santander Bank with five each.
According to the study, the total number of data breach incidents was up 23% to 3,930 in 2015 from 3,192 in 2014. The number of exposed records, however, fell 33% to 736 million in 2015 from 1.1 billion the year before, the report said.
“The fragmented nature of the retail convenience store and gas station business and the ease of accessing pumps not visible to cashiers encourage multiple breaches,” Risk Based Security CEO Barry Kouns explained.
Automated fuel dispenser skimming is the most frequent form of data theft, the report said. To pull this off, a skimmer usually affixes a device over the mouth of the card reader and secretly captures credit and debit card information when customers insert their cards into the ATM machines or fuel pumps. Criminals also use a combination of cameras and video devices to capture cardholder PINs as part of their ATM skimming scheme.
Chain operators and independents have different levels of sophistication and processes regarding data security, which leads to inconsistency, the report revealed. Adding to the problem is the continued use of vulnerable, magnetic stripe cards at the pump versus chip cards, as well as the growing expertise of data thieves. The EMV compliance deadline for automated fuel dispensers is Oct. 1, 2017.
The analysis found California had the highest number of data breach incidents in 2015 at 199, with Florida coming in second at 130. California retained the top spot from 2014, while Florida rose to the No. 2 spot. New York came in third in 2015 at 102 incidents.
In December, CU Times reported the debit card fraud rise in California created so much concern among credit unions that at least one, the $933 million, El Segundo, Calif.-based Xceed Financial Credit Union, took the unprecedented step of blocking cards used at 7-Eleven and Wells Fargo terminals.
Bulletins sent by CO-OP Financial Services to its member credit unions said the CUSO was aware of a number of ATM card skimming cases primarily occurring at 7-Eleven locations in the Mid-Atlantic area and Southern California.
In Michigan, out of state gangs covertly attached card readers and small cameras inside gas pumps, according to Mlive.com. The scams ran from early July 2015 to September of this year.