Hackers Used Brighton District Library to Steal Credit Card Numbers

People seeking to steal credit card numbers have been using the  online donation page to do so, and at least seven people have had their numbers stolen as a result of hackers hijacking the donation system.

The FBI recently launched an investigation into the hacking, which has been occurring since March of this year and was finally noticed by library staff in early July. The FBI has traced the transactions to Internet Protocol addresses based in Pakistan and Australia, and is still tracking down the people behind the attacks.

Nancy Johnson, director of the library, said that the library's system is secure and that information people put forth when they donate is protected. She said the hackers didn't steal numbers out of the library's database; instead, they used the online donation form to match a name they found with a credit card number.

Johnson said that the hackers, after finding a real person's name, would use an algorithm that would randomly generate numbers in an attempt to get a match to that person's actual credit card. If the donation was denied, the hacker would try the name again with a new combination of numbers. If the donation was accepted, the hacker would know the number could be used.

After checking library records, Johnson and her staff discovered the hackers had been attempting donations 15 to 40 times a day since March. Johnson said her staff first started to notice something strange was going on over the Fourth of July weekend, when she reviewed four suspicious donation receipts. Among those were two separate donations from the same person in a short amount of time. The entries were identical, except the state listed was changed from Michigan to California.

Johnson also said all four of the suspicious receipts were marked "anonymous", an option that is rarely used.

"Typically, I would say one out of 100 of our donors marks that anonymous," she said. 

Johnson said, in addition to the seven who have had their numbers stolen, the library has had calls from three people who reported receiving a bill from the library. All the people affected have no connection with the library or Livingston County.

"From the east coast, from Minnesota and from Texas," Johnson said of the calls. She said the FBI has not found out how much has been stolen from all the affected individuals.

The library suffered fiscally from the attacks as well, having to pay several hundred dollars to the authorization company that deals with approving credit cards. The company charged the library for each transaction attempt, whether or not it was successful.

As a short-term solution, the library has put in a series of filters, limiting the number of attempts an IP address can make in one day. Despite these filters, Johnson said that attacks are still coming every day. Hackers are stopped after four attempts, but that still leaves a chance for identity theft.

"All they have to do is hit one that works," Johnson said.

The scam is the first one of its kind for any library in Michigan, as far as Johnson knows. She's been asked to share her experience with other libraries in Michigan as a warning, and to see whether this is a trend elsewhere. Johnson said that the FBI told her this kind of scam is common with online hotel and motel websites, because they see high Internet traffic.