Business & Finance
News
7/21/2005
02:27 PM
Connect Directly
RSS
E-Mail
50%
50%

Unauthorized Data Access At CardSystems Began In April 2004, Bank Says

Congressional testimony details how unknown party gained access to payment-card data, exposing 40 million accounts and stealing 263,000 records.

Unauthorized activity at CardSystems Solutions Inc. that led to the exposure of 40 million payment cards started as early as April 2004, according to a security assessment performed by a bank that makes payments to merchants using CardSystems' services.

In prepared testimony given at a hearing Thursday before the House Committee on Financial Services, David Watson, chairman of Merrick Bank, said that a forensic IT audit firm it hired after learning of a security breach at CardSystems in May reported that CardSystems servers showed evidence of unauthorized activity as early as April 2004. The audit firm also reported that CardSystems was retaining transaction data in violation of Visa USA Inc. rules.

Visa and American Express Co. earlier this week said that CardSystems would no longer be allowed to process transactions for their branded cards after October. Visa said it took the step because CardSystems was retaining transaction data in "unmasked" form, allegedly for research purposes, in violation of Visa's rules.

In prepared testimony at Thursday's hearing, CardSystems president and CEO John Perry said that in September, an unauthorized party placed a script, or sequence of instructions, on the CardSystems platform through an Internet-facing application used by customers to access data. The script caused records to be extracted, zipped into a file, and exported to an FTP site. "It was a sophisticated script that targeted a particular file type and was scheduled to run every four days," Perry said.

The script searched for records on individual cardholders, including name, account number, expiration date, and CVV code (a three-digit number encoded on a card's magnetic strip). On May 22, the script succeeded in exporting 263,000 records from CardSystems' system.

The records consisted of transactions that hadn't been completed. CardSystems was storing the transactions for research purposes to determine why they weren't completed, Perry said. The data was stored in readable form, in violation of Visa and MasterCard security requirements, he said. The data didn't include cardholder Social Security numbers, and thus couldn't be used for identity theft, Perry said.

It could, however, have been used to create counterfeit cards. Retention of this information "makes the database a much more attractive target for criminals," said Steve Ruwe, Visa's executive VP of operations and risk management, at Thursday's hearing. A total of 22 million Visa cards and 13 million MasterCard cards were put at risk by the security breach.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.