Just weeks after Heartland breach, another payment processor said to be hit
Visa, MasterCard notify banks of breach at unidentified company; third incident involving payment processors since December
Just weeks after Heartland Payment Systems Inc. disclosed what may be one of the largest breaches of payment card data thus far, news is emerging of what could be another major breach involving a payment processing company.
The identity of the payment processor is still unclear, as is the number of credit and debit cards that were compromised in the breach. What is known is that attackers broke into systems at a U.S-based company and that the breach exposed the account numbers and expiration dates of payment cards used in so-called card-not-present transactions between last February and this January.
The breach is the third affecting a payment processor to come to light since late last year, following the one that Heartland acknowledged last month and another that RBS WorldPay Inc. disclosed in December. The latest incident underscores concerns within the financial industry that attackers are increasingly targeting payment processors, which typically handle far more card data than individual retailers do.
Both Visa Inc. and MasterCard International Inc. have begun quietly notifying banks and credit unions of the new breach and providing them with lists of the affected card numbers. As with the breach at Heartland, no unencrypted PINs, card verification codes or customer Social Security numbers were exposed, according to the notifications. They also indicated that the latest incident didn't involve the compromise of data from the magnetic stripes on the back of cards, whereas Heartland said that some magnetic-stripe data may have been taken in the breach there.
In a statement sent via e-mail, Visa said it's aware that a processing firm has "experienced a compromise of payment card account information from its systems." But Visa didn't identify the affected payment processor in its statement, which said that card holders are protected financially from illegitimate purchases through the company's zero-liability fraud-protection policy.
MasterCard confirmed in a statement that it also has begun alerting card issuers about what it described as a "potential" breach. "In response to a potential security breach affecting an acquiring processor in the United States, MasterCard is monitoring developments and has notified issuers of cards that were determined to be improperly accessed by an unauthorized party," the company said. MasterCard added that it was providing the notices so that banks and credit unions could monitor for suspicious account activity and take steps to protect their card holders.
The breach was first reported by the Office of Inadequate Security blog site on Saturday. Since then, the blog has posted alerts from various organizations reporting that they were informed of the breach by Visa and MasterCard. Among them are the Tuscaloosa VA Federal Credit Union in Alabama, the Pennsylvania Credit Union Association, the Community Bankers Association of Illinois and the New York State Consumer Protection Board.
In addition, Computerworld found a similar advisory posted on the Web site of the Alabama Credit Union in Tuscaloosa that discusses the latest breach and its impact on that institution's customers.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cybercrime and Hacking White Papers | Webcasts