The rumor mill has started working overtime, only now there are more facts to the story. Two weeks ago, DataLoss DB posted details on tips it had received regarding a second security breach at a credit card processor. On Sunday, the company confirmed the rumor that a second processor had been compromised, but no one knows which company has been affected.
“What we still don't know is what processor has been breached... VISA and Mastercard are refusing to disclose which acquirer processor had the breach, as the organization hasn't released a public statement on it yet themselves,” said DataLoss DB.
Thanks to problems in data-breach disclosure laws, companies can delay announcing a breach, resulting from lax security or other methods of loss, pending an investigation by law enforcement. So, for now, while it is known a second processor has been hit, it would be up to them to tell the public, unless someone comes forward with proof and forces their hand.
According to a press statement from Tuscaloosa, VA, Federal Credit Union (TVAFCU), this second breach differs from the Heartland breach insofar as “another U.S. acquirer-processor has confirmed a network intrusion exposing primary card numbers and card expiration dates for card-not-present (CNP) transactions. Unlike the Heartland Payment breach, this breach does not expose magnetic stripe track data. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor’s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates,”
“Visa began releasing affected accounts on Monday, February 9, 2009 under CAMS event series US-2009-0088-IC,” the TVAFCU press release added. “They expect to have all accounts released by Friday, February 13. MasterCard began releasing accounts on Wednesday, February 11, 2009 under MC Alert series MCA0150-US-09. They have not provided any information as to when they expect to have all their accounts released. The current window of exposure provided by both card associations is from February 2008 through January 2009.”
The claims by DataLoss DB and TVAFCU are backed by another press release. This release, issued on February 12 by the Pennsylvania Credit Union Association (PCUA), says that during a conference call, Visa alerted members to the second compromise.
“We have been advised that some credit unions have already begun to see the Alerts in Compromise Manager, however they have not yet been distributed via E-Reports,” the PCUA release said. [Google Cache of link.]
PCUA listed the facts based off the results of the conference call. It knows for a fact that: “This is a very large compromise, similar to the Heartland compromise, but slightly smaller. There are going to be at least 24 different alerts. Track Data WAS NOT compromised, only account numbers and expiration dates.”
What neither of the press releases explains is that card numbers alone are fine for criminals, along with an expiration date. This is why you have CNP transactions. Most times, when CNP transactions occur, the security code on the back of the card is not used.
So who could the processor be? There are some names floating around that are likely candidates.
If you look at which companies Heartland competes with, as well as some of the larger processors, then the list shapes out to look like this: Bank of America Corporation, Fifth Third Bank, Chase Paymentech Solutions, Global Payments Inc., First Data Corporation, and NOVA Information Systems, Inc.
Band of America Corp. and First Data Corp. are the top targets in the online rumors. However, until someone figures it out with proof, or the company comes clean itself, any company listed as the source of the second breach is pure speculation.
This article will be updated as more information on the story breaks.
The Tech Herald: RBS WorldPay has yet to address rumors - are they the third breach?
The Tech Herald: Does the Heartland breach prove PCI useless?
The Tech Herald: Arrests made for using Heartland’s hijacked credit card numbers