Secrecy shrouds breach of possibly a third payment cards processor

March 3rd, 2009

argast_michae_cropVisa and MasterCard are being circumspect about a new round of warnings they’ve issued regarding stolen credit and debit card numbers circulating in the criminal world — data  possibly stolen from another breach of a payment card processor. This follows major data thefts from Heartland Payment Sytems and RBS WorldPay,  for which precious few details have officially been made public.

Visa has issued a statement waffling about what prompted recent warnings to certain banks and credit unions about a fresh wave of stolen credit card and debit card account numbers being put to use by criminals. It took that action only after security bloggers, like Steve Ragan, of thetechherald.com, blogged about the warnings going into circulation.

Visa has declined to clearly explain its latest round of warnings.  “It seems odd that hackers had an easier time getting credit card information from the payment processors than Visa and Mastercard’s customers have getting information about these breaches,” says Sophos security analyst Michael Argast. “Consumers hate the uncertainty associated with not knowing if their card details are at risk.”

Quick-acting criminal cells

Make no mistake: this quality of valuable data feeds directly into a sophisticated underground market that puts it to quick use. Credit card account numbers stolen in the 2007 data breach of the TJX retail store chain got instantly dispersed to criminal cells across North America and Europe, fueling fraud sprees like this one carried out by the Irving Escobar  gang in Miami, Fla. Likewise, transaction data stolen from RBS WorldPlay last November reportedly seeded a coordinated global ATM heist that netted crooks a one-day score of $9 million in cash.

Argast says that data pilfered from Heartland and the as yet unnamed processor almost certainly has reached the hands of experienced criminal cells expert at cashing in. “Heartland learned of the breach only after they were alerted to a pattern of card fraud by Visa and Mastercard that pointed back to them,” he says. “This means that the cards had been cloned and were actively in use by criminals.”

TJX, Heartland, RBS WorldPay and now this latest, unnamed payment processor are “just data points along a long curve of attack escalations,” he says. “Gangs have been building substantial criminal enterprises that allow them to gather the tools necessary, execute successful attacks and monetize the resulting information in rapid succession.”

Fearful ramifications

The processors obviously fear getting sued.  But there’s another potential backlash. Massachusettes and Nevada are leading the way in passing new state laws dictating what businesses must do to protect credit card transaction records and other personal data. These new laws go much further than the hard-won laws in more than 30 states requiring companies to notify individuals whose data has been lost or stolen, and granting individual consumers the right to freeze their credit histories.

Roy E. Hadley, a privacy attorney at Bryan Cave Powell Goldstein Bulletin, predicts other states may follow suit.  See my full interview with Hadley here.

–Byron Acohido

Photo of Michael Argast