Undisclosed Breach Threatens Consumers

February 24, 2009 by ADMIN

Share |

As we mentioned over a week ago, a new processor breach seems to have occurred. Banks around the country are being notified of a new breach unrelated to the Heartland Payment Systems breach.

When we initially wrote about it, we were acting on a tip that was corroborated by other sources who wish to remain anonymous. What we knew at the time but couldn’t publish was that it was a “card not present” breach at an “acquirer / processor”. We’re now able to say this specifically, as another source has come out publicly with the information (props to databreaches.net for finding this source.)

What we still don’t know is what processor has been breached. According to the aforementioned article, and as has been confirmed by our sources, VISA and Mastercard are refusing to disclose which acquirer processor had the breach, as the organization hasn’t released a public statement on it yet themselves.

We do know, from the aforementioned article and through investigative work done here as well, that the breach in question isn’t magstripe (hence card not present). The terms “card not present” have been repeatedly used by almost every source we have, and this article as well. We also know that cards affected by the Heartland breach may also have been affected by this breach, leading to some confusion at banks regarding reissuing cards.

Our questions: No magstripes? All “card not present”? Either this was a breach in a major processor’s online transactions system, or, the breach was at a major online payment processor. Those are our guesses, but, we’ve been surprised before. Also, why hasn’t the breached organization come forward? It has been “suggested” to us that some sort of a “gag” order is in effect on the topic, but we haven’t been able to ascertain whether this is an actual judicial order, or some otherwise unofficial order to keep quiet on this.

As to the size and scale of this new breach, we’re hearing mixed responses from smaller than Heartland to larger than Heartland, and given that we don’t yet have a number regarding Heartland, it seems ever more speculative as to just how big this new breach is. One thing is certain, the two breaches amount to a lot of card replacements, a lot of bankers working overtime, and a lot of consumers inconvenienced, or worse, defrauded.

More details as this unfolds, as it no doubt will.

These icons link to social bookmarking sites where readers can share and discover new web pages.

Share |

Filed under: Breach, Class Action Lawsuit, D&O Liability, Financial, Government, ISR News, PCI, Sarbanes-Oxley, Uncategorized, hackers, identity-theft, malware, national security, privacy

Tags: 2009, access, Bailout, Banks, bounty, Breach, Business Wire, class action, Class Action Lawsuit, computer, confidential, consumer, consumer product liability, Consumers, control, Costs, criminal, cyber security, cyber terrorism, cyber-crime, cybersecurity, D and O liability, Data, Dollars, due diligence, Economy, electronic database, FBI, Fiancial Identities, Finance, Financial, Financial Identity, fraud, governance, Government, hackers, Heartland Payment Systems, Identity, Information, Information-Security-Resources.com, InfoSec, infrastructure, ISR, laptops, law, legal, liability, misuse, national security, News, Obama, online fraud, outsourcing, paperless, personal data, press release, privacy rights, privacy rights clearing house, regulations, regulatory, Report, reward, risk, Robert O. Carr, Sarbanes-Oxley, Security, shareholder derivative, social security number, Stocks, System, systems, theft, third party, Treasury, Uncategorized, Up and Down, valuation, vendors, Wall Street, worm

Comments

2 Comments on Undisclosed Breach Threatens Consumers

John B. Frank on Tue, 24th Feb 2009 7:08 pm

I agree that speculation runs rampant. However, according to today’s DataBreaches.net website, it may not only be “card not present” information that was breached. Here’s a quote from DataBreaches.net’s website:

“All signs point to it being a large processor. The recent revelation that the breach “also involved ATM/Debit cards”…and “not just card-not-present fraud” …changes the pool of possible candidate processors.”

As editor of the PIN Payments Blog, I’ve received numerous tips from various industry resources and these “reliable sources” tell me that this breach involves a major processor.

What constitutes a “major processor? Heartland is the nations 6th largest processor. So the question is…Is the 6th largest considered major?

In golf there’s only 4 majors. Is there more or less in the payments industry?

Another question will be is this another “TrustWave” client…giving them the Trifecta?…(both of the previous breaches, RBS WorldPay and Heartland were PCI certified/given the A-OK by TrustWave)

The fact remains, that a year from now, it won’t really matter. The industry is changed forever. Now that hackers have learned how to get into one processor, two processor, three… they’ll know how to get into them all.

Bob Carr is correct in his assumption that the payments industry as a whole needs end-to-end-encryption. (E2EE) But that will take time, and time is the enemy now.

Prior to receiving my new information, I too believed it was an online payments processor that was breached. Therefore, using information from the recent release of the CyberSource “UK Online Fraud Report 2009.” I authored a post on the http://www.PINDebit.blogspot, how a non-alternative could alleviate some, if not most, of their findings.

In that post I pointed out only 3 of CyberSource’s many key findings.

1. Real-time authorization’s don’t exist online.
2. Merchants Bear the Costs of Fraud and
3. Half of the people don’t trust the online ecosystem/current payment offerings.

I provided a common sense (non-alternative) solution to all 3 problems and invited people to do research and tell me where I’m wrong. I invite any reader of Information-Security-Resources.com to read it and do the same.

In closing, the industry need’s E2EE. There’s only one methodology that offers it. It isn’t the way it’s done now. It is the way it should be done in the future. If that isn’t clear after 3 breaches in 3 months, then the Hackers will prove that things don’t always happen in 3’s. They happen in 100’s of million of cards being breached.

JBF

Michael & Jil on Sat, 28th Feb 2009 5:17 pm

The Nebraska merchant market has been deluged in the last 18 months by a revolving door of Heartland Payment System sales individuals.
Turn-over above and beyond 28, in a market which might support 6-10 at any given time.
Local management is known to be spin-doctors and decreasingly-supportive after recruitment ala a pyramid-structure of reaping benefits w/o retention of employees.
Recent national news questions CEO Robert Carr and hundreds of bank partners about significant sales of HPS stock prior to the announcement of the largest identity security breach ever experienced by a credit card processor. Most of which took place over the course of 2008.
As President Obama reasons, small to medium sized businesses need to be protected and educated. These are the target market for Heartland Payment Systems, nationwide.

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

Categories
- Anthony M. Freed (28)
- Bill Brenner (2)
- Bob Violino (1)
- Bozidar Spirovski (22)
- Breach (492)
- Britt Womelsdorf (5)
- By Dr. InfoSec (2)
- Cara Garretson (7)
- CCCNews (1)
- Chorey Taylor & Feil (8)
- Christophe Veltsos (2)
- Christopher Burgess (7)
- CIOZone (24)
- Class Action Lawsuit (109)
- Cloud computing (68)
- Coby Royer (5)
- CTO Forum (8)
- D&O Liability (541)
- Daniel Wallace (5)
- Danny Lieberman (11)
- DataLine (10)
- David Alexander (2)
- Derek Crawford (1)
- Doug Pollack (6)
- due diligence (251)
- Fame Foundry (1)
- FEATURE ARTICLE (398)
- Financial (526)
- Fred Leland (7)
- Gene Kim (3)
- Government (334)
- Greg George (3)
- H1N1 (15)
- hackers (481)
- healthcare (94)
- Heather Bourgoin (1)
- HomeATM (8)
- identity-theft (478)
- IDExperts (16)
- Ike Z. Devji (1)
- Insider Threat (435)
- Internet Crime Complaint Center (1)
- Internet Security Alliance (40)
- ISR News (315)
- Jacqueline Herships (1)
- Jenni Hesterman (3)
- John M. Salomon (2)
- John Watkins (7)
- John-Patrick Skaar (1)
- Kaliber Data Security and Compliance Consultants (3)
- Kat Sanders (2)
- Ken Leeser (3)
- Kevin L. Jackson (10)
- Kevin M. Nixon (22)
- Laton McCartney (6)
- Laura Wilson (14)
- Lauren Taylor (1)
- Linda McGlasson (1)
- malware (446)
- Mark Wright (1)
- Mel Duvall (3)
- Michael Eggebrecht (2)
- Michael Lohr (1)
- Michael O'Conner (4)
- Mike Duncan (3)
- Mike Meikle (3)
- Mike Spinney (1)
- Military (174)
- national security (402)
- PCI (268)
- PCI Security Standards Council (30)
- Physical Security (11)
- privacy (496)
- Rachel James (10)
- Rebecca Herold (16)
- Richard Stiennon (27)
- Robert Siciliano (30)
- Sarbanes-Oxley (443)
- ScamStop (2)
- Sean Wilkins (2)
- Semyon Dukach (1)
- Simon Heron (14)
- Software Associates (11)
- Steven Fox (19)
- SUPERAntiSpyware (3)
- Sybase (6)
- Symplified (5)
- The Jester (4)
- The Privacy Professor (16)
- Thomas R. Fox (4)
- Tom Groenfeldt (2)
- Tom McLain (2)
- Trefis (6)
- Tripwire (18)
- Uncategorized (579)
- virtualization (57)
- Webcast (31)

Information Security Resources

Undisclosed Breach Threatens Consumers

Comments

2 Comments on Undisclosed Breach Threatens Consumers

ISR Headline Index

Recent Comments

Categories