Sophisticated Attack Yields Data On IEEE Members

IEEE, the world’s leading society for technical professionals, has warned some 800 members that their credit card and personal information may have been stolen. The FBI has been notified of the breach.

IEEE credit cardsIEEE, the world’s leading society for technical professionals, has warned some 800 members that their credit card and personal information may have been stolen. The FBI has been notified of the breach.

The group disclosed the November, 2010 breach in a letter to the New Hampshire Attorney General, dated February 24, in keeping with that state’s data privacy law. While the source and purpose of the security breach aren’t known, IEEE’s membership of technical professionals raises concerns about whether group members might be the targets of sophisticated phishing and social engineering attacks using stolen data.

IEEE did not immediately respond to e-mail and telephone requests for comment.

IEEE, based in Piscataway, New Jersey, describes itself as the world’s largest technical professional society, with some 400,000 members globally, half of them in the U.S.  Group members include senior executives and rank and file professionals in fields such as Aerospace, information technology, nuclear engineering, robotics and manufacturing. The group reported annual revenues of $389 million in 2009.

According to a letter from the law firm of Dorsey and Whitney LLP, (PDF) IEEE’s law firm, the group first became aware of intrusions into its database in December, 2010. A subsequent forensic investigation revealed that a file containing customer credit card information had been deleted a month earlier. The individual or individuals responsible for deleting that file would have access to the card holder data and other sensitive information on those IEEE members prior to deleting the file, the letter said.

A letter from the group to affected IEEE members describes the organization as a victim of a “sophisticated network intrusion” that exposed data from  an IEEE database used when members registered for an IEEE conference. The stolen information included the members’ name, credit card number, expiration data and card identification number. Retaining such data is not a violation of the Payment Card Industry Data Security Standard (PCI DSS), though the practice is discouraged because of the potential for security breaches and identity theft resulting from them.

IEEE said it had notified the FBI about the breach and that the group is assisting with the investigation. The group said it had not proof that the credit card information was removed from their system, but was notifying members “out of abundance of caution.” Members were encouraged to review credit card statements for unauthorized activity and to contact credit and bank card issuers.

Still unclear was whether the IEEE breach was an opportunistic attack aimed at stealing just credit card information, or a sophisticated and targeted attack aimed at siphoning off information about members, many of whom work within organizations and industries that are known to be of interest to foreign governments. A similar question of intention arose in January after a breach was disclosed at the Pentagon Credit Union, where personal and financial data on the credit union’s membership was stolen.

Suggested articles