Just weeks after Heartland breach, another payment processor said to be hit
Visa, MasterCard notify banks of breach at unidentified company; third incident involving payment processors since December
Just weeks after Heartland Payment Systems Inc. disclosed what may be one of the largest breaches of payment card data thus far, news is emerging of what could be another major breach involving a payment processing company.
The identity of the payment processor is still unclear, as is the number of credit and debit cards that were compromised in the breach. What is known is that attackers broke into systems at a U.S-based company and that the breach exposed the account numbers and expiration dates of payment cards used in so-called card-not-present transactions between last February and this January.
The breach is the third affecting a payment processor to come to light since late last year, following the one that Heartland acknowledged last month and another that RBS WorldPay Inc. disclosed in December. The latest incident underscores concerns within the financial industry that attackers are increasingly targeting payment processors, which typically handle far more card data than individual retailers do.
Both Visa Inc. and MasterCard International Inc. have begun quietly notifying banks and credit unions of the new breach and providing them with lists of the affected card numbers. As with the breach at Heartland, no unencrypted PINs, card verification codes or customer Social Security numbers were exposed, according to the notifications. They also indicated that the latest incident didn't involve the compromise of data from the magnetic stripes on the back of cards, whereas Heartland said that some magnetic-stripe data may have been taken in the breach there.
In a statement sent via e-mail, Visa said it's aware that a processing firm has "experienced a compromise of payment card account information from its systems." But Visa didn't identify the affected payment processor in its statement, which said that card holders are protected financially from illegitimate purchases through the company's zero-liability fraud-protection policy.
MasterCard confirmed in a statement that it also has begun alerting card issuers about what it described as a "potential" breach. "In response to a potential security breach affecting an acquiring processor in the United States, MasterCard is monitoring developments and has notified issuers of cards that were determined to be improperly accessed by an unauthorized party," the company said. MasterCard added that it was providing the notices so that banks and credit unions could monitor for suspicious account activity and take steps to protect their card holders.
The breach was first reported by the Office of Inadequate Security blog site on Saturday. Since then, the blog has posted alerts from various organizations reporting that they were informed of the breach by Visa and MasterCard. Among them are the Tuscaloosa VA Federal Credit Union in Alabama, the Pennsylvania Credit Union Association, the Community Bankers Association of Illinois and the New York State Consumer Protection Board.
In addition, Computerworld found a similar advisory posted on the Web site of the Alabama Credit Union in Tuscaloosa that discusses the latest breach and its impact on that institution's customers.
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- The Evolution of Corporate Cyberthreats Cybercriminals are creating and deploying new threats every day that are more destructive than ever before. While you may have more people devoted...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Cybercrime and Hacking White Papers | Webcasts