A U.S. payment processing arm of the Royal Bank of Scotland, RBS WorldPay, says that its computer system was hacked in November and personal information on 1.5 million cardholders may have been affected. Only about 100 cardholders were directly affected by fraud, the company says in a public announcement about the breach. RBS WorldPay sent letters notifying the affected cardholders beginning December 23.
RBS WorldPay, based in Atlanta, GA, is the U.S. payment processing division of the Royal Bank of Scotland Group. It provides electronic payment processing services including debit, electronic benefits transfer (EBT), checks, gift cards, e-commerce, customer loyalty cards, fleet cards, prepaid cards, credit cards and ATM processing and cash management services. WorldPay is a non-bank subsidiary of Citizens Financial Group, Inc.
RBS WorldPay says the affected pre-paid cards included payroll cards and open-loop gift cards. A RBS WorldPay spokesperson says that approximately 100 payroll cards had been used in a fraudulent manner, and those cards have been deactivated. PINs for all PIN-enabled cards have been reset as a precaution to thwart fraud. The company also says the affected individuals who were notified are being offered free credit monitoring services for one year to monitor their credit files with the three national consumer reporting agencies. To date there has been no fraudulent activity or identity theft associated with any of the 1.5 million account holders, the RBS WorldPay spokesperson says.
The stolen account information that the hacker got hold of also included the Social Security numbers of about 1.1 million account holders.
In the company's announcement, it says it reported the breach to federal and state law enforcement and federal regulators "shortly after" the breach was discovered on November 10. The RBS WorldPay spokesperson said the time between the discovery of the breach on November 10 and the December 23 public notification was a result of the investigation of the breach. Law enforcement and the security experts investigating the breach worked with RBS WorldPay staff to determine exactly what accounts and information may have been affected before an announcement was made, notes the RBS WorldPay spokesperson.
Gift cards issued by RBS WorldPay were purchased before the breach retain their value and can be used wherever they are accepted by merchants. The RBS spokesperson says gift cards that had not been purchased have been deactivated and removed from retailers to be destroyed as an additional precaution. No number was available for the number of gift cards that were destroyed.