OfficeMax: No evidence of security breach

Following an extensive review of its security systems, OfficeMax says it has no reason to believe it was the company that suffered the data breach that resulted in thousands of cases of debit card fraud.

On Tuesday, the office-supply chain said that an independent study by a security expert found no indication that the company's customer information was lost. An internal investigation came to the same conclusion.

"OfficeMax takes the security of our customers' information with the utmost seriousness and is committed to protecting private customer information," the company said in a statement. "As we have stated consistently, we have no knowledge of a security breach at OfficeMax."

But the company wouldn't explain why it was still involved in the investigation into the debit card thefts.

"OfficeMax continues to work with the United States Secret Service and other federal law enforcement agencies in their investigation of ATM fraud," the company said.

Debit card holders from San Francisco to Pittsburgh to Boston have reported cash was seized from their accounts via fraudulent withdrawals. Visa and MasterCard have said a merchant had suffered a data theft but wouldn't identify the company.

During the past two weeks, law enforcement officials have noted that their investigations revealed that many of the fraud victims were OfficeMax shoppers.

On Monday, Hudson County Prosecutor Edward DeFazio said his office had arrested 14 people in connection with the nationwide crime wave involving debit cards. In an interview with CNET News.com, DeFazio identified OfficeMax as among the victims of data theft. He said other companies were also ripped off.

OfficeMax has said it has "not received information from any third party concluding" that it suffered a breach.

[tbsteph]

Why Retain a PIN?

Maybe someone should ask Office Max why they were even storing customer's debit card PIN information? I have read where even customers of their brick and mortar stores were affected.

[dargon19888]

Cheaper processing ...

In the US, you can either do real time credit card authorization or you can batch the requests and then process them either in blocks or after hours at a reduced cost to the retailer.

So the retailer has to determine how much risk there is in a retail purchase to determine how fast to process the card.


To put this in real terms, if the average purchase is under $50.00, it makes sense for a retailer to wait. Especially if the purchaser is a repeat customer. (The odds/risk of a fradulent purchase are low...)

If someone wants to purchase a $1,500 (USD) computer or some other big ticket item, then the risk outweighs the cost and the credit card verification is done in real time.

With respect to internet/brick and mortar sales, its the same system in most cases, therefore the risk is

[dargon19888]

No Evidence??? Like what do you expect?

Not to pick on OfficeMax, but lets face it. Just because you can't find any trace of a break in, doesn't mean that it didn't occur.

Without knowing something about OfficeMax and their set up, there are several vectors of attacks that could occur and unless OfficeMax were to maintain extensive logfiles, it would be difficult to track down where they were penetrated.

Add to the possibility that they waited a couple of months prior to exploiting the stolen credit cards, and your log files are probably gone.

The scary part... Office Max isn't alone. There are other potential targets...

[4KGColeman]

Investigating a Security Breach

It is next to impossible to prove a computer system was not compromised. The average time from breach to discovery is around 2 years.