Human error leads to hack of Western Union Web site

Western Union Holdings Inc. today continued to assess the damage done last week when a malicious hacker's attack caused about 15,700 credit-card and debit-card numbers belonging to customers of the telegram and money-transfer company to be illegally copied off of its Web site.

Peter Ziverts, a spokesman for in Englewood, Colo., said the attack against the Web site was discovered Friday during a routine performance audit. The security breach that allowed the attacker or group of attackers to access the credit-card data was caused by a "human error" during some work on the site, he said.

The Web site, which had been upgraded in June to allow users to send money over the Internet, was undergoing "performance management" tasks last week, according to Ziverts. But after the work was done, the employees who did it apparently "left a file unprotected," creating a security hole that could be used to enter the site, he said.

Western Union officials reacted swiftly after learning of the problem, Ziverts said. The company immediately shut down the Web site, and on Saturday it began alerting affected customers by telephone and e-mail. It also contacted credit-card companies and the National Bankcard Association to advise them that the numbers had been stolen -- a step that Ziverts said enabled the credit-card issuers to institute "fraud watch" protections.

Even so, he added that an unspecified number of customers were advised to close their existing credit-card accounts and open new ones with different numbers. Only Western Union customers who had used the company's Web site to transfer money over the Internet were affected by the security breach, Ziverts said.

The Web site remained shut today, with the following note posted on its home page: "Our Web site is temporarily out of service. We apologize for any inconvenience."

But Ziverts said could be back online before the end of the day after having been upgraded to provide better security and site management capabilities aimed at preventing a repeat break-in. "We believe we have taken very, very aggressive measures to assure the security of the site," he said.

Related links:

  • For more security coverage, visit our Security Watch page.
  • Have opinions on security issues? Head to the forums. (Note: Registration required to post message; anyone may read messages. To register on Computerworld's forums, click here).

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon