Credit card data breached at unnamed payment processor
Another U.S. payment processor has suffered a database breach that exposed credit card and debit card information, according to several credit unions. The name of the payment processor has not been released and it is unclear how many consumers are affected.
Blog site DataBreaches.net has been tracking the reports here and here.
Community Bankers Association said in a statement on its site two weeks ago that Visa announced that an unnamed processor reported a data breach and that the name of the processor was being withheld pending completing of a forensic investigation.
The breach appears to have affected fewer account holders than were affected by a breach reported by Heartland Payment Systems last month, but represents a "significant number nonetheless," the statement said. "According to VISA officials, the breach affected all card brands. Evidence indicates that the account number, PAN and expiration dates were stolen."
The Tuscaloosa Virginia Credit Union posted a statement on its site that said malicious software was placed on the processor's system but there is no evidence that accounts were viewed or data taken by hackers.
The Pennsylvania Credit Union Association also issued a statement, as did the Alabama Credit Union, which said it was limiting Visa ATM and debit card purchases to $99 per day as a result of the breach.
Credit card and debit card users are encouraged to monitor their statements carefully.
The incident is the latest in a string of breaches at payment processors, including one at RBS WorldPay last year that enabled scammers to clone cards and withdraw millions of dollars from bank accounts.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
"Can you hear me now?"
Also, work now for a hospital who sends patient info in plaintext via ftp. Includes names, addresses, birth dates, SSNs, and of course the radiology results. Used to send it via 3.5" disk. Imagine that being dropped. Not that ftp is any more secure.
Just because the technology is available does not mean it is used. Think about it... it's cheaper to not change your processes...
To whom much is entrusted to, much is expected...
There have to be times when data is decrypted to be used. Unfortunately the places where that happens are often outside of the immediate control of the payment processor. The financial services industry is really pushing hard to make this process as secure as possible, but processes are flawed and hackers are smart and move fast. The way that standards and regulations are going in this space will hopefully have a positive impact on the number, frequency and size of these breaches.
I guess the only thing the consumer can do in the meantime is take precautions. Watch your credit card statements for unexpected charges and report them immediately. Put a fraud alert in place with the credit bureaus and always use PINs and passwords that are not obvious, don't write them down and keep them to yourself.
It is easy to hack these days... Many people put their birthdate etc. on things like Myspace + Facebook etc. With that, a lot of banks etc. will allow you to verify a faulty password with birthdate information etc. Or if you get a hold of someone's credit report that will give out a persons credit card numbers....
- by Harrison912 February 25, 2009 11:02 AM PST
- Since I process cards on my safety and security web site as well as for by sales incentives business, I'm very interested in this story. Thanks, Elinor, for this information.
- Like this Reply to this comment
-
(7 Comments)