Visa backtracks on breach disclosure

Computerworld - Visa and MasterCard have probably been slow to identify the cause of a breach that they warned banks about in mid-February because they want to complete an investigation into the incident, analysts say.

However, the lack of candor sparked rampant speculation that a new, major breach had occurred, forcing Visa to later say that the warning referred to an expanded investigation of a previously known incident.

The saga began in mid-February, when Foster City, Calif.-based Visa Inc. started to quietly notify banks and credit unions that an unnamed credit card processing company "experienced a compromise of payment card account information from its systems."

At the same time, Purchase, N.Y.-based MasterCard International Inc. confirmed that it was alerting card issuers of a "potential" breach in which credit cards "were determined to be improperly accessed by an unauthorized party."

Although the companies' carefully worded statements didn't say they were referring to a new intrusion, they also failed to say that they were talking about a previously disclosed incident.

By the end of February, Visa announced that the alerts referred to an earlier breach that had turned out to be larger than first thought.

The credit card company did not identify the processing company or say why it was continuing to keep its name under wraps.

MasterCard did not respond to requests for comment on Visa's clarification.

Prior to Visa's explanation, several users said they were convinced that a major new breach had occurred.

Benson Bolling, vice president of lending at the Alabama Credit Union in Tuscaloosa, said that credit union officials believed that Visa and MasterCard were probably referring to a new breach. He also noted that Visa's initial warning about a "big breach" came shortly after Heartland Payments Systems Inc.'s Jan. 20 disclosure of a massive intrusion into its card processing systems.

Advisories issued by the Pennsylvania Credit Union Association and Tuscaloosa VA Federal Credit Union also implied that Visa and MasterCard were referring to new incidents in the mid-February notification.

Both Visa and MasterCard said early on that the latest notice did not refer to the the breach at Heartland, which exposed some 100 million credit cards to hackers.

Analysts last week suggested that the credit card companies might identify the hacked company once they determine what happened.

"The forensics may not have turned up very much conclusive evidence," said Avivah Litan, an analyst at Gartner Inc. "The criminals have gotten so good at getting in and getting out, it is not easy to prove these breaches. They can be very hard to detect, and [MasterCard and Visa] honestly may not know what happened."

Jim Huguelet, an independent security consultant in Bolingbrook, Ill., said that credit card companies "don't want to overcommunicate." They are probably looking to investigate "as methodically as they can," he noted.

However, he cautioned that in such cases, people "will start to fill in the blanks" and perhaps come to the wrong conclusion.

Huguelet did say that Visa's disclosure that there was no new breach is good news.

"Three in 60 days or less would have been disheartening," he said, noting that RBS WorldPay Inc. in December said that a breach exposed personal data of about 1.5 million owners of prepaid payroll and gift cards.

This version of this story originally appeared in Computerworld's print edition.

Read more about security in Computerworld's Security Knowledge Center.