Saturday, June 18, 2005

CardSystems' missing 40 million records

Two consumers enjoying their privacy (CardSystems)

The details are sketchy, yet ominous. As many as forty million consumer credit-card records may have been stolen from CardSystems, a major payment-processing house.

The theft was discovered back on May 22nd. And CardSystems seems none too pleased that MasterCard has disclosed the extent of the breach. Publicly, MasterCard indicated that: intruder was able to use security vulnerabilities to infiltrate the CardSystems network and access the cardholder data...

In addition, MasterCard reported that:

...CardSystems Solutions was hit by a computer virus that sucked up card numbers and other customer data...

Who was behind it? Probably organized crime, at least based upon information in this Boston Globe article:

...MasterCard said yesterday that criminals used a computer virus to collect vast amounts of financial data moving through the company's computer network and estimated that 13.9 million of its accounts may have been stolen. Thieves also had access to millions of cards issued by Visa and Discover, as well as some American Express cards...

...examination of CardSystems computers found that information had been copied from a database containing 40 million account numbers from a variety of credit card brands. It also found that the CardSystems network had been infected sometime late last year, meaning that the data thieves had been able to collect credit card numbers for several months before the breach was detected.

The investigators found that some of the stolen card numbers have been used illegally. ''We are aware of some fraud from the data that's been taken," said Jessica Antle, spokeswoman for MasterCard International. She added that the thieves had used very few of the stolen account numbers so far...

Some expressed surprise that a breach of this scale was possible:

...Former federal prosecutor Mark Rasch, chief technical counsel for computer security firm Solutionary Inc., was surprised by the scale of the crime. ''It's not surprising that there's a breach," Rasch said. ''It is surprising that there's this large a breach." Rasch said that the data-stealing computer virus should have been quickly detected if CardSystems ran regular virus scans...

Was it a virus... or something altogether different? The LA Times, via Slate, says:

...a "rogue program" planted in the computer network of CardSystems compromised millions of card numbers...

The FBI is probably hunting down possibilities of an inside job or an Israeli-style social engineering scam (the recent Israeli corporate espionage debacle included trojans that were snail-mailed to victims as software updates from a corporate IT department).

Ironically, CardSystems' website boasts of its e-Payment Systems offering:

...In today's information age, new technologies... increase the risk of fraud as perpetrators find new ways to infiltrate systems. You need payment solutions that help you grow revenue and maximize efficiencies while mitigating fraud...

Yes, we do. That's their mission statement, eh? Repeat after me: forty... million... records.

And now CardSystems' livelihood itself may be at stake. Mastercard has reportedly given CardSystems "an undisclosed deadline to demonstrate that its systems are now secure".

That ought to be quite a demonstration.

After reports like this one and the Israeli trojan horse scandal, one is left only to speculate how much cyber-criminal activity remains ongoing and completely undetected.

No comments: