Another payment processor said to suffer data breach

Just weeks after Heartland Payment Systems Inc. disclosed what may be one of the largest breaches of payment card data thus far, news is emerging of what could be another major breach involving a payment processing company.

The identity of the payment processor is still unclear, as is the number of credit and debit cards that were compromised in the breach. What is known is that attackers broke into systems at a U.S-based company and that the breach exposed the account numbers and expiration dates of payment cards used in so-called card-not-present transactions between last February and this January.

The breach is the third affecting a payment processor to come to light since late last year, following the one that Heartland acknowledged last month and another that RBS WorldPay Inc. disclosed in December. The latest incident underscores concerns within the financial industry that attackers are increasingly targeting payment processors, which typically handle far more card data than individual retailers do.

Both Visa Inc. and MasterCard International Inc. have begun quietly notifying banks and credit unions of the new breach and providing them with lists of the affected card numbers. As with the breach at Heartland, no unencrypted PINs, card verification codes or customer Social Security numbers were exposed, according to the notifications. They also indicated that the latest incident didn't involve the compromise of data from the magnetic stripes on the back of cards, whereas Heartland said that some magnetic-stripe data may have been taken in the breach there.

In a statement sent via e-mail, Visa said it's aware that a processing firm has "experienced a compromise of payment card account information from its systems." But Visa didn't identify the affected payment processor in its statement, which said that card holders are protected financially from illegitimate purchases through the company's zero-liability fraud-protection policy.

MasterCard confirmed in a statement that it also has begun alerting card issuers about what it described as a "potential" breach. "In response to a potential security breach affecting an acquiring processor in the United States, MasterCard is monitoring developments and has notified issuers of cards that were determined to be improperly accessed by an unauthorized party," the company said. MasterCard added that it was providing the notices so that banks and credit unions could monitor for suspicious account activity and take steps to protect their card holders.

The breach was first reported by the Office of Inadequate Security blog site on Saturday. Since then, the blog has posted alerts from various organizations reporting that they were informed of the breach by Visa and MasterCard. Among them are the Tuscaloosa VA Federal Credit Union in Alabama, the Pennsylvania Credit Union Association, the Community Bankers Association of Illinois and the New York State Consumer Protection Board.

In addition, Computerworld found a similar advisory posted on the Web site of the Alabama Credit Union in Tuscaloosa that discusses the latest breach and its impact on that institution's customers.

ACU initially posted the alert on Feb. 17, saying then that it had been contacted by Visa about the breach and told that about 250 credit cards issued by the credit union had been compromised. An update posted two days later said Visa had informed ACU that a "lengthy list" of ATM and debit card numbers also had been exposed.

The alert said that fraudulent transactions had been carried out with some of the stolen ATM and debit card numbers, primarily involving $100 purchases of prepaid phone cards, gift cards and money orders from Wal-Mart stores. As a result, ACU said it was limiting purchases on all of the cards on Visa's list to $99 per day while working to issue new cards to customers. Customers will still be able to conduct PIN-based ATM transactions at the usual dollar limits with their existing cards until the replacement ones arrive, the credit union said, adding that all of the cards on the list will be blocked no later than March 3.

The alert posted by the Tuscaloosa VA Federal Credit Union said that there had been "confirmed unauthorized access" to a U.S.-based payment processor's settlement system containing stored transaction data. Visa began releasing lists of affected card numbers on Feb. 9, and MasterCard followed suit two days later, according to the credit union.

Tuscaloosa VA, which originally was set up for employees of a U.S. Department of Veterans Affairs medical center in Tuscaloosa, made it a point to note that the latest breach is different from the one disclosed by Heartland on Jan. 20. But as was the case at Heartland, malicious software was placed on the unidentified payment processor's systems, the credit union said. It added that because the processor has yet to publicly announce the breach, Visa and MasterCard have been unable to release the company's name.

On Dec. 23, Atlanta-based RBS WorldPay, the payment processing division of The Royal Bank of Scotland Group, disclosed that its systems had been breached by unknown intruders, resulting in the compromise of personal information belonging to about 1.5 million owners of prepaid payroll and gift cards (download PDF). The compromised information included the Social Security numbers of about 1.1 million people, the company said.

The scope of the breach reported by Princeton, N.J.-based Heartland is still unknown. Thus far, about 440 banks and credit unions have reported being affected by the breach, according to a list posted by the BankInfoSecurity.com news portal.

Some analysts have estimated that the breach at Heartland, which processes more than 100 million card transaction per month, may end up displacing the one disclosed in January 2007 by The TJX Companies Inc.as the largest-ever compromise of card data. TJX, a retailer based in Framingham, Mass., eventually said that 45.6 million credit and debit card numbers were stolen from its systems over an 18-month period.

Heartland has already been hit by a class-action lawsuit that was filed by a Pennsylvania-based law firm. Meanwhile, three people were arrested in connection with the Heartland breach this month, for allegedly using credit card numbers stolen in the intrusion. More arrests are considered likely.

This story, "Another payment processor said to suffer data breach" was originally published by Computerworld.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)