Unauthorized Data Access At CardSystems Began In April 2004, Bank Says
Congressional testimony details how unknown party gained access to payment-card data, exposing 40 million accounts and stealing 263,000 records.
Unauthorized activity at CardSystems Solutions Inc. that led to the exposure of 40 million payment cards started as early as April 2004, according to a security assessment performed by a bank that makes payments to merchants using CardSystems' services.
In prepared testimony given at a hearing Thursday before the House Committee on Financial Services, David Watson, chairman of Merrick Bank, said that a forensic IT audit firm it hired after learning of a security breach at CardSystems in May reported that CardSystems servers showed evidence of unauthorized activity as early as April 2004. The audit firm also reported that CardSystems was retaining transaction data in violation of Visa USA Inc. rules.
Visa and American Express Co. earlier this week said that CardSystems would no longer be allowed to process transactions for their branded cards after October. Visa said it took the step because CardSystems was retaining transaction data in "unmasked" form, allegedly for research purposes, in violation of Visa's rules.
In prepared testimony at Thursday's hearing, CardSystems president and CEO John Perry said that in September, an unauthorized party placed a script, or sequence of instructions, on the CardSystems platform through an Internet-facing application used by customers to access data. The script caused records to be extracted, zipped into a file, and exported to an FTP site. "It was a sophisticated script that targeted a particular file type and was scheduled to run every four days," Perry said.
The script searched for records on individual cardholders, including name, account number, expiration date, and CVV code (a three-digit number encoded on a card's magnetic strip). On May 22, the script succeeded in exporting 263,000 records from CardSystems' system.
The records consisted of transactions that hadn't been completed. CardSystems was storing the transactions for research purposes to determine why they weren't completed, Perry said. The data was stored in readable form, in violation of Visa and MasterCard security requirements, he said. The data didn't include cardholder Social Security numbers, and thus couldn't be used for identity theft, Perry said.
It could, however, have been used to create counterfeit cards. Retention of this information "makes the database a much more attractive target for criminals," said Steve Ruwe, Visa's executive VP of operations and risk management, at Thursday's hearing. A total of 22 million Visa cards and 13 million MasterCard cards were put at risk by the security breach.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2018 State of the CloudCloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
A New World of IT Management in 2019This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.