Charge Anywhere Confirms Card BreachPayment Solutions Provider Says Malware Infected Network
Payment solutions provider Charge Anywhere is warning merchants and cardholders of a data breach that may have exposed information related to payment card transactions dating back as far as Nov. 5, 2009.
The New Jersey-based company - whose solutions route payment transactions from merchants' point-of-sale systems to their payment processors - discovered malware on its systems on Sept. 22 that "had not been previously detected by any anti-virus program," according to a notice on its website.
Charge Anywhere says it removed the malware and hired a computer security firm to investigate how the malware was used. The investigation revealed that an unauthorized individual gained access to the company's network and installed the malware, which had the ability to capture segments of outbound network traffic.
"Much of the outbound traffic was encrypted," the company says. However, the intruder was able to view certain outbound messages in plain text, which showed payment card transaction authorization requests.
"During the exhaustive investigation, only files containing the segments of captured network traffic from Aug. 17, 2014, through Sept. 24, 2014, were identified," Charge Anywhere says. "Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as Nov. 5, 2009."
Information that may have been compromised includes cardholder name, account number, expiration date and verification code. The company provided a searchable list of merchants who may have been affected by the incident.
Individuals who used their card at one of the impacted merchants during the period of compromise are urged to review their account statements for any unauthorized activity. The issue did not affect any system or device at merchant locations, Charge Anywhere says.
The company says it has been working to further strengthen its security measures following the incident. Charge Anywhere says it's also been working with credit card companies and processors to provide them with a list of merchants and the account numbers for cards used during the period of compromise.
Charge Anywhere was not immediately available for comment on further details, including how many individuals were affected by the breach.
POS Vendor Breach
In September, point-of-sale system vendor Signature Systems Inc. confirmed that an unauthorized individual gained access to a username and password that was used to remotely access POS systems. The breach resulted in 324 restaurants being impacted, including 216 Jimmy John's locations.
Incidents such as these should prompt organization to reach out to their business partners and vendors to ensure they've taken sufficient steps to protect their systems, says John Buzzard, manager for products and fraud operations at FICO Card Alert Service.
"Reach out to all of your relevant business partners and vendors to see what steps they have taken, outside of routine compliance, to scan and further protect their systems," he says. "Everyone should audit logins for third-party vendors and former employees to ensure that they are disabled when appropriate."