Genesco Inc. Data Breach (2009)

From December 2009 to December 2010, com- puter hackers accessed Genescos computer network by compromising a particular feature of security protocols that govern payment of card transactions in the United States. Id. at 17. Most payment card transactions are initi- ated by the account holders payment card be- ing_swiped_ at the point of sale. Each Visa card has a_mag-stripe_ with the necessary informa- tion to effect the purchase, including the ac- count number, the cards expiration date, and the cards CVC, a security code. Id. at 18. The merchant swipes the customers Visa card and the cards mag-stripes information is elec- tronically transmitted to the merchants acquir- ing bank and then to the cardholders issuing bank. Id. These transactions are referred to as a _mag-stripe-swipetransaction._ Id. The cyber attackers stole payment card account data as Genesco transmitted that data to Fifth Third and Wells Fargo in unencrypted form dur- ing the approval process. Id. at 19, 20. To [*11] do so, the cyber attackers inserted into Ge- nescos computer network malicious software (_malware_) that employs a _packet sniffer_ technology to acquire unencrypted account data in transit through Genescos computer net- works transmissions to Fifth Third or Wells Fargo for transaction approval. Id. The cyber at- tackers, however, did not access any stored payment card account information in Genes- cos computer network. Id. at 21