ATM Fraud Linked In RBS WorldPay Card BreachThieves Net $9 Million in 30 Minutes
In what is being called a well-orchestrated ATM card scam, the true extent of RBS WorldPay's public announcement in late December that its computer systems had been hacked in November has been revealed. In a news report on Wednesday, FBI law enforcement said that a network of thieves withdrew $9 million from 130 ATMs in 49 cities around the world just after midnight on November 8 with cloned cards created from stolen data taken in the RBS WorldPay hack.
Back on December 23 the U.S. payment processing arm of the Royal Bank of Scotland, RBS WorldPay, announced that its computer system was hacked in November and personal information on 1.5 million cardholders may have been affected. Only about 100 cardholders were directly affected by fraud, the company said in its public announcement about the breach. RBS WorldPay sent letters notifying the affected cardholders beginning December 23 (RBS WorldPay announcement).
A unique twist in the case is the hackers that took the card information in the data theft then cloned cards and changed the daily withdrawal limits on the cards, which allowed them to use the same cards over and over to withdraw $500 each time. The cities where the thieves took money included Atlanta, Chicago, New York, Montreal, Moscow and Hong Kong. The authorities said that they had never witnessed a fraud on such a large scale or so well coordinated.
The FBI has no suspects in the case and has issued information posters asking the public for help in identifying the thieves. There are at least two class action lawsuits filed by law firms in Atlanta and Philadelphia against RBS WorldPay, charging the company failed to protect personal information.