The Agency Insider with Linda McGlasson

A Tale of Two Breaches

A Tale of Two Breaches

I got a call recently from a friend of mine (let's call her Sally) who is a fraud expert in the financial services industry. She had just heard from her bank, US Bank, asking if she'd been to Orlando recently. She responded no, she hadn't (It is never a good thing when your bank asks if you've been somewhere you haven't been).

Her bank told her that her Visa credit card had been used at a variety of stores, attractions and fast food places in Orlando, and that over $900 worth of charges had been racked up on her card -- all within a few minutes of one another.

Now, cue the ominous music ...

When the bank told her which card number, she realized it was a brand new card that she and her husband had only used once back in mid February 2009 -- at a Radisson Hotel.

This call, mind you, was well ahead of the announcement by Radisson on August 19 that it had been breached at some of its locations in U.S. and Canada.

After the phone call from her bank, Sally re-visited the hotel to inquire about how her credit card may have been compromised. After speaking with the hotel manager, she thought to ask, "Who is your payment processor?" The manager replied, "Heartland." This particular hotel uses Heartland to process payments, although according to Radisson the rest of the chain uses Elavon.

There are only two places that the card information could have been taken, according to Sally: the hotel restaurant's point of sale terminal, or at the processor. "So it's a 50-50 chance that the compromise had to happen at Heartland," Sally says. So far, the investigation by Radisson's forensics experts doesn't show any insider collaboration in the breach. If, indeed the credit card was breached at the payment processor, it happened after the payment processor's Jan. 20 announcement of the discovery of a breach of its systems.

The good news is: U.S. Bank was quick to pick up on the numerous charges and questioned them. Sally says without the phone call, she would not have known about the charges because they didn't even make it onto the bill she received.

Kudos should go out to the bank. It could have been a lot worse for Sally if the bank didn't call.

Her advice to consumers: "The theme of the day is diligence -- making sure you are checking statements and working with companies who take protecting your identity seriously. If it were not for my financial institution spotting this quickly, it would have been a lot worse."

The advice for institutions out there with credit card accounts: Practice due diligence in fraud monitoring, and get a fraud alert capability set up for your customers.

As for payment processors? It's pretty clear that there is a need for comprehensive, continuous monitoring and constant vigilance. Stay alert out there on the front lines; this is a war.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.