Beyond Heartland: Another Payments Processor Linked to Data BreachInstitutions, Association Warn Consumers About Compromised Cards
Two banking institutions and a state banking association have reported this new breach to their customers, with the Tuscaloosa VA FCU, in Tuscaloosa, AL telling its members that this unidentified U.S. acquirer-processor "has confirmed a network intrusion exposing primary card numbers and card expiration dates for card-not-present (CNP) transactions."
The credit union says that VISA's compromised account management system (CAMS) alert on February 9 and MasterCard's CAMS alert release on February 11 have not shown up any fraudulent activity. Both card associations reportedly told the credit union that the cards were exposed from February 2008 to January 2009.
Additionally, the Community Bankers Association of Illinois, and the Banker's Bank of Kansas announced to their members that "the unnamed processor recently reported that it had discovered a data breach. The processor's name has been withheld pending completion of the forensic investigation."
VISA officials reportedly told the Community Bankers Association on February 11 that the breach affected all card brands. The evidence indicates that the account numbers and expiration dates were stolen, but there is no assessment of the number of cards affected. In its alert to members, the association said:
"VISA officials reported that while the number of accountholders affected is undetermined, it appears to be fewer than those affected by the recent Heartland Payment Systems breach, but a significant number nonetheless. And unlike the Heartland breach, where thieves also captured Track 2 data, officials reiterated that no personal information was taken in this most recent event."
These three independent announcements confirm industry buzz that has generated since the Heartland breach was announced on Jan. 21. Since then, more than 500 institutions have come forward to say their customers' cards have been compromised as a result of the Heartland breach. Many of these institutions later sent follow-up messages asking "Why am I getting another CAMS alert?"
Other industry security experts had also confirmed that they heard similar buzz about an additional breach.
Two data breach watchdog groups, Databreaches.net and the OpenSecurityFoundation.org, had both speculated in mid-January that a payments processor had been compromised shortly before Heartland's announcement.
Bad News Comes in Threes?
Even before Heartland, there was the late December news that RBS WorldPay, a U.S. payments processor and credit card non-bank subsidiary of UK-based RBS Bank, had been breached. The December 23 announcement did not include the amount the payment processor had taken on November 8, when the breach was first discovered. Shortly after midnight in a well-coordinated heist, more than 130 ATMs in 49 cities around the world were hit in a half-hour period where criminals used cloned cards with numbers taken from RBS WorldPay's computer systems to take $9 million in cash. RBS WorldPay had stated in its press release that more than 1.5 million accounts were compromised in the breach, but that only 100 cards were used in fraud.
Gartner Group's information security analyst, Avivah Litan, says the news of a third processor being breached should not be a surprise to anyone. She says she predicted this trend several months ago when asked who were hackers going to target next.
"After TJX, it seems that the hackers aren't satisfied with going after just one bank or a retailer," Litan says. "Why not target companies that have the most valuable data to steal, like a payments processor?"