Beyond Heartland: Another Payments Processor Linked to Data Breach

Institutions, Association Warn Consumers About Compromised Cards
Beyond Heartland: Another Payments Processor Linked to Data Breach
In addition to the well-publicized Heartland Payment Systems (HPY) data breach, an additional payment processor appears to have been hacked, affecting an unknown number of banking institutions, consumers and cards. Heartland Payment Systems data breach coverage

Two banking institutions and a state banking association have reported this new breach to their customers, with the Tuscaloosa VA FCU, in Tuscaloosa, AL telling its members that this unidentified U.S. acquirer-processor "has confirmed a network intrusion exposing primary card numbers and card expiration dates for card-not-present (CNP) transactions."

The credit union says that VISA's compromised account management system (CAMS) alert on February 9 and MasterCard's CAMS alert release on February 11 have not shown up any fraudulent activity. Both card associations reportedly told the credit union that the cards were exposed from February 2008 to January 2009.

Additionally, the Community Bankers Association of Illinois, and the Banker's Bank of Kansas announced to their members that "the unnamed processor recently reported that it had discovered a data breach. The processor's name has been withheld pending completion of the forensic investigation."

VISA officials reportedly told the Community Bankers Association on February 11 that the breach affected all card brands. The evidence indicates that the account numbers and expiration dates were stolen, but there is no assessment of the number of cards affected. In its alert to members, the association said:

"VISA officials reported that while the number of accountholders affected is undetermined, it appears to be fewer than those affected by the recent Heartland Payment Systems breach, but a significant number nonetheless. And unlike the Heartland breach, where thieves also captured Track 2 data, officials reiterated that no personal information was taken in this most recent event."

Industry Buzz

These three independent announcements confirm industry buzz that has generated since the Heartland breach was announced on Jan. 21. Since then, more than 500 institutions have come forward to say their customers' cards have been compromised as a result of the Heartland breach. Many of these institutions later sent follow-up messages asking "Why am I getting another CAMS alert?"

Other industry security experts had also confirmed that they heard similar buzz about an additional breach.

Two data breach watchdog groups, and the, had both speculated in mid-January that a payments processor had been compromised shortly before Heartland's announcement.

Bad News Comes in Threes?

Even before Heartland, there was the late December news that RBS WorldPay, a U.S. payments processor and credit card non-bank subsidiary of UK-based RBS Bank, had been breached. The December 23 announcement did not include the amount the payment processor had taken on November 8, when the breach was first discovered. Shortly after midnight in a well-coordinated heist, more than 130 ATMs in 49 cities around the world were hit in a half-hour period where criminals used cloned cards with numbers taken from RBS WorldPay's computer systems to take $9 million in cash. RBS WorldPay had stated in its press release that more than 1.5 million accounts were compromised in the breach, but that only 100 cards were used in fraud.

Gartner Group's information security analyst, Avivah Litan, says the news of a third processor being breached should not be a surprise to anyone. She says she predicted this trend several months ago when asked who were hackers going to target next.

"After TJX, it seems that the hackers aren't satisfied with going after just one bank or a retailer," Litan says. "Why not target companies that have the most valuable data to steal, like a payments processor?"

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.