Several reports confirm that another US-based payment processor has been compromised

Feb 26, 2009 13:04 GMT  ·  By

Notifications from credit unions, banking associations and other various groups point to a big data breach that has not yet been disclosed to the general public. The affected processor has not been named, but, according to the available information, a significant number of accounts have been compromised.

The reports are offering sometimes conflicting details, nevertheless they point to the same incident. The first such alert has come from the Community Bankers Association of Illinois (CBAI) and is dated February 11. "Today, VISA announced that an unnamed processor recently reported that it had discovered a data breach. The processor’s name has been withheld pending completion of the forensic investigation," the announcement read.

According to CBAI, citing VISA, the incident affected cards of all brands, but their number was lower than those compromised in the Heartland breach. In addition, while account numbers, PANs and expiration dates were stolen, the hackers were not able to get their hands on Social Security numbers, PINs, addresses, telephone numbers, or other personal information of the cardholders.

Another announcement made by Tuscaloosa Virginia Credit Union, attributes the data breach to malware being installed on the payment processor's platform. However, it claims that "There is no forensic evidence that accounts were viewed or taken by the hackers."

The Credit Union Association in Pennsylvania has also issued a warning confirming that it has been alerted by Visa about a data breach incident that involved account numbers and expiration dates, which seems to be consistent with the other reports. Because of this, the union also notes that "The risk of unrecoverable fraud is lower."

The most discomforting alert has come from the Alabama Credit Union, which says that "We have been notified by VISA that a lengthy list of VISA ATM/Debit Card numbers was included as part of a data breach at an unknown vendor's location." The Union has taken measures to prevent any possible fraudulent transactions. "We have limited purchases on these VISA ATM/Debit Cards to $99 per day. Replacement cards have been ordered for every card that is being blocked, and should arrive at the cardholders' addresses in 5 – 10 days."

The limit is set at $99 because "Fraudulent transactions are primarily characterized as purchases of prepaid phone cards, prepaid gift cards, and money orders from Wal-Mart, and usually occur in $100 increments." However, PIN-based ATM transactions of up to $500 per day are still possible, the union pinpoints.

We will return with more information as it becomes available. In December, RBS WorldPay, a US-based payment processor, announced a similar data breach, which resulted in 100 credit cards being misused. It was later revealed that those 100 cards were employed to instrument one of the most complex and well-coordinated frauds operations ever, which earned the crooks an amazing $9 million.

In January, another major payment processor, Heartland Payment Systems, announced that its network was compromised. The company discovered malware on its computer system during an internal investigation launched after being alerted by Visa of fraudulent transactions on some of the cards it processed.