Business & Finance
News
7/21/2005
02:27 PM
Connect Directly
RSS
E-Mail
50%
50%

Unauthorized Data Access At CardSystems Began In April 2004, Bank Says

Congressional testimony details how unknown party gained access to payment-card data, exposing 40 million accounts and stealing 263,000 records.

Unauthorized activity at CardSystems Solutions Inc. that led to the exposure of 40 million payment cards started as early as April 2004, according to a security assessment performed by a bank that makes payments to merchants using CardSystems' services.

In prepared testimony given at a hearing Thursday before the House Committee on Financial Services, David Watson, chairman of Merrick Bank, said that a forensic IT audit firm it hired after learning of a security breach at CardSystems in May reported that CardSystems servers showed evidence of unauthorized activity as early as April 2004. The audit firm also reported that CardSystems was retaining transaction data in violation of Visa USA Inc. rules.

Visa and American Express Co. earlier this week said that CardSystems would no longer be allowed to process transactions for their branded cards after October. Visa said it took the step because CardSystems was retaining transaction data in "unmasked" form, allegedly for research purposes, in violation of Visa's rules.

In prepared testimony at Thursday's hearing, CardSystems president and CEO John Perry said that in September, an unauthorized party placed a script, or sequence of instructions, on the CardSystems platform through an Internet-facing application used by customers to access data. The script caused records to be extracted, zipped into a file, and exported to an FTP site. "It was a sophisticated script that targeted a particular file type and was scheduled to run every four days," Perry said.

The script searched for records on individual cardholders, including name, account number, expiration date, and CVV code (a three-digit number encoded on a card's magnetic strip). On May 22, the script succeeded in exporting 263,000 records from CardSystems' system.

The records consisted of transactions that hadn't been completed. CardSystems was storing the transactions for research purposes to determine why they weren't completed, Perry said. The data was stored in readable form, in violation of Visa and MasterCard security requirements, he said. The data didn't include cardholder Social Security numbers, and thus couldn't be used for identity theft, Perry said.

It could, however, have been used to create counterfeit cards. Retention of this information "makes the database a much more attractive target for criminals," said Steve Ruwe, Visa's executive VP of operations and risk management, at Thursday's hearing. A total of 22 million Visa cards and 13 million MasterCard cards were put at risk by the security breach.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.