Unauthorized Data Access At CardSystems Began In April 2004, Bank Says
Congressional testimony details how unknown party gained access to payment-card data, exposing 40 million accounts and stealing 263,000 records.
Unauthorized activity at CardSystems Solutions Inc. that led to the exposure of 40 million payment cards started as early as April 2004, according to a security assessment performed by a bank that makes payments to merchants using CardSystems' services.
In prepared testimony given at a hearing Thursday before the House Committee on Financial Services, David Watson, chairman of Merrick Bank, said that a forensic IT audit firm it hired after learning of a security breach at CardSystems in May reported that CardSystems servers showed evidence of unauthorized activity as early as April 2004. The audit firm also reported that CardSystems was retaining transaction data in violation of Visa USA Inc. rules.
Visa and American Express Co. earlier this week said that CardSystems would no longer be allowed to process transactions for their branded cards after October. Visa said it took the step because CardSystems was retaining transaction data in "unmasked" form, allegedly for research purposes, in violation of Visa's rules.
In prepared testimony at Thursday's hearing, CardSystems president and CEO John Perry said that in September, an unauthorized party placed a script, or sequence of instructions, on the CardSystems platform through an Internet-facing application used by customers to access data. The script caused records to be extracted, zipped into a file, and exported to an FTP site. "It was a sophisticated script that targeted a particular file type and was scheduled to run every four days," Perry said.
The script searched for records on individual cardholders, including name, account number, expiration date, and CVV code (a three-digit number encoded on a card's magnetic strip). On May 22, the script succeeded in exporting 263,000 records from CardSystems' system.
The records consisted of transactions that hadn't been completed. CardSystems was storing the transactions for research purposes to determine why they weren't completed, Perry said. The data was stored in readable form, in violation of Visa and MasterCard security requirements, he said. The data didn't include cardholder Social Security numbers, and thus couldn't be used for identity theft, Perry said.
It could, however, have been used to create counterfeit cards. Retention of this information "makes the database a much more attractive target for criminals," said Steve Ruwe, Visa's executive VP of operations and risk management, at Thursday's hearing. A total of 22 million Visa cards and 13 million MasterCard cards were put at risk by the security breach.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.