DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

(Update and Commentary): Why are states withholding the names of breached entities?

Posted on September 5, 2011 by Dissent

Yet another recent press release – this one from the U.S. Attorney’s Office in Connecticut – shields the name of the breached entity:

David B. Fein, United States Attorney for the District of Connecticut, announced that NATASHA SMITH, 25, of Georgia, formerly of Far Rockaway, New York, waived her right to indictment and pleaded guilty yesterday, August 30, before United States Magistrate Judge Holly B. Fitzsimmons in Bridgeport to one count of conspiracy to commit access device fraud.

According to court documents and statements made in court, from September 2008 to January 2009, SMITH worked as a waitress at a restaurant in Stamford, Connecticut. In pleading guilty, SMITH admitted that, while working at the restaurant, she and a co-worker, Chibuzo Okafor, stole credit card information from customers through the use of “skimming” devices. When restaurant customers would pay with their credit cards, SMITH and Okafor would swipe the cards through hand-held skimmers before running them through the restaurant’s own legitimate credit card verification system. The skimming devices would copy and store the account information encoded on the magnetic strips on the back of the credit cards.

Every few weeks, an individual who supplied the skimming devices would meet with SMITH or Okafor so they could turn over to him the credit card information stored on the devices. That person would pay them either $20 or $25 for each credit card they successfully swiped through the skimming device and then give them new skimmers so they could continue with the scheme. The stolen credit card information was later used by members of the conspiracy to make unauthorized purchases.

While SMITH and Okafor were employed at the Stamford restaurant, approximately 92 credit cards were compromised, the majority of which were compromised by Okafor, resulting in losses of approximately $135,888.

SMITH is scheduled to be sentenced by United States District Judge Janet B. Hall on November 18, 2011, at which time SMITH faces a maximum term of imprisonment of five years.

On March 10, 2010, Okafor pleaded guilty to one count of conspiracy to commit access device fraud. She awaits sentencing.

This investigation is being conducted by the Connecticut Financial Crimes Task Force, notably the United States Postal Inspection Service and the United States Secret Service. The Task Force also includes members from the United States Department of State, Bureau of Diplomatic Security; the Connecticut State Police; and the Glastonbury, Greenwich, Hartford, New Haven and Shelton Police Departments.

This case is being prosecuted by Assistant U.S. Attorney Paul Murphy.

Note that neither the Complaint nor Plea Agreement, both of which I obtained from PACER,  reveal the name of the restaurant in Stamford or the restaurant in New York where both defendants also worked.  Why not?

Well, it turns out that in this case, we do know the name of the restaurants – because they were revealed in the prosecution of the co-defendant.  In March 2010, another U.S. Attorney for Connecticut revealed the restaurants as P.F. Chang’s and Grand Lux Cafe in Connecticut and New York, respectively.

So why does the 2011 press release and court filings carefully omit the restaurants’ names?  I’ve commented on this trend a number of times, as I do think we’re seeing a disturbing and growing trend whereby information is intentionally withheld from the public – information that is of public concern and that the public should have a right to know.

Are businesses putting pressure on states not to reveal this information?  I have no evidence of that, but it wouldn’t surprise me at all. I do know that states that used to post breach notices online are no longer doing so. Maryland has not updated its site since last year and New York withdrew its site altogether. Budget cuts?  Maybe. Coincidence? Maybe.  But I’d really encourage all states that retain central depositories of breach notifications to post them online so that we have more usable information about statistics and trends.

 


Related posts:

  • 1749 French based Sites Defaced by CwGhost.
  • Former waitress at P.F. Chang’s pleads guilty to skimming customer data
  • State Consumer Protection Office Investigating Zippy’s Security Breach
  • UGNAZI Leader @JoshTheGod and 23 Others Arrested For Credit Card Fraud
Category: Breach IncidentsBusiness SectorCommentaries and AnalysesID TheftInsiderSkimmersU.S.

Post navigation

← Stolen information worth £300m recovered by GCHQ
Kr: Samsung Card asks police to investigate employee for data leak →

1 thought on “(Update and Commentary): Why are states withholding the names of breached entities?”

  1. garykva says:
    September 9, 2011 at 1:38 pm

    I don’t believe most of the states hold back names of the breaches for protection of the compnay name. It may be that the ongoing investigation may require it to remain a hush-hush so investigators can accumulate as much data against the criminals as they can. A too early release of a breach may give the hacker ample notice to dump any evidence that may be related to a crime.

    I am not a hacker, butt I can imaginee, if the “technique” worked against one brand of software, there may be many more opportunities out there. That can either become a open-season hunting ground for that hacker, or it can bring a fistful of cash to provide that proof of concept to other hackers looking to get in.

    The authorities may want additional pproof, or have set up some sort of surveillence waiting for the entity to strike again, and then they can almost catch them in the act. With the laws about hacking being relatively new to most countries and states, removing as much doubt about a particular hacker’s participation in an act holds up better in court.

    I am sure there are companies and websites that are tightly entwined into the local, state and federal governments that might be given a bit of lieniency when it comes to reporting a breach, but your right – why offer that ? A customer and banking institution will suffer moreso than a company that is potentially at fault.

    With the brashness of some hacking groups, its almost a challenge for the authorities to try and stop potential hacks. Hacks should be treated like say, drunk driving, it can have the same potential impacts, the effect can cause life changing events.

    In the situation of skimmers, I don’t see where less than 3,000 in direct cash can be an option of about 4 years in the slammer, loss of complete trust with any company that uses credit cards or requires a position of trust. What are these people thinking? Its extremely easy for the authorities to figure the skimmer use out. Most will eventually be caught, but again, you can catch the small fish, but I am sure they are looking to catch the big fish as well, which may be the real reason they are going to keep compromised company breaches under wraps.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.