RBS WorldPay Hacked

1.5 Million Cardholders at Risk
RBS WorldPay Hacked

A U.S. payment processing arm of the Royal Bank of Scotland, RBS WorldPay, says that its computer system was hacked in November and personal information on 1.5 million cardholders may have been affected. Only about 100 cardholders were directly affected by fraud, the company says in a public announcement about the breach. RBS WorldPay sent letters notifying the affected cardholders beginning December 23.

See Also: Defense Strategies for Advanced Threats: Breaking the Cyber Kill Chain with SANS 20 Critical Security Controls

RBS WorldPay, based in Atlanta, GA, is the U.S. payment processing division of the Royal Bank of Scotland Group. It provides electronic payment processing services including debit, electronic benefits transfer (EBT), checks, gift cards, e-commerce, customer loyalty cards, fleet cards, prepaid cards, credit cards and ATM processing and cash management services. WorldPay is a non-bank subsidiary of Citizens Financial Group, Inc.

RBS WorldPay says the affected pre-paid cards included payroll cards and open-loop gift cards. A RBS WorldPay spokesperson says that approximately 100 payroll cards had been used in a fraudulent manner, and those cards have been deactivated. PINs for all PIN-enabled cards have been reset as a precaution to thwart fraud. The company also says the affected individuals who were notified are being offered free credit monitoring services for one year to monitor their credit files with the three national consumer reporting agencies. To date there has been no fraudulent activity or identity theft associated with any of the 1.5 million account holders, the RBS WorldPay spokesperson says.

The stolen account information that the hacker got hold of also included the Social Security numbers of about 1.1 million account holders.

In the company's announcement, it says it reported the breach to federal and state law enforcement and federal regulators "shortly after" the breach was discovered on November 10. The RBS WorldPay spokesperson said the time between the discovery of the breach on November 10 and the December 23 public notification was a result of the investigation of the breach. Law enforcement and the security experts investigating the breach worked with RBS WorldPay staff to determine exactly what accounts and information may have been affected before an announcement was made, notes the RBS WorldPay spokesperson.

Gift cards issued by RBS WorldPay were purchased before the breach retain their value and can be used wherever they are accepted by merchants. The RBS spokesperson says gift cards that had not been purchased have been deactivated and removed from retailers to be destroyed as an additional precaution. No number was available for the number of gift cards that were destroyed.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network