RBS WorldPay, a popular payment processing service, has announced that an unknown and unauthorized party has illegally obtained access to its computer systems. The personal information of 1.5 million customers, as well as the Social Security numbers of 1.1 million, may have been compromised, according to the company.

RBS WordPay is a business operated by The Royal Bank of Scotland Group, and is based in Atlanta, GA. It offers payment processing solutions that cover credit, debit, Electronic Bank Transfers, gift cards, customer loyalty cards, checks, ATM, and tailored solutions for retail, restaurant, petroleum, convenience stores, grocery, hospitality, transport, and cardholders not present in these sectors.

According to WorldPay, the security breach incident occurred on November 10, and the company immediately alerted the authorities, who started an investigation. In addition, security experts and firms were commissioned to determine how the systems were penetrated and to implement stronger protection.

The incident affected its pre-paid card issuing business in particular, the company notes in a press release dating December 23. As a result, approximately 100 re-loadable payroll cards have been deactivated under the suspicion of already being fraudulently accessed, while all the PIN-enabled cards have had their PIN reset in order to prevent any future misuse.

“We have taken important, immediate steps to mitigate risk, and none of the affected cardholders will be responsible for unauthorized activity on their account resulting from this situation,” Ben Barone, the CEO of RBS WorldPay, announced. “Privacy is important to RBS WorldPay, and we regret any inconvenience this may cause affected individuals,” he added.

The company has set up a special web page for the affected customers where important instructions have been published, and which in addition offers a free one-year subscription with a credit monitoring service. Graham Cluley, senior technology consultant for anti-virus vendor Sophos, has questioned the long period of time it took the company to issue a press release about the incident. “I’m sure that, if it had been my confidential information that might have been compromised, I would want to know about it as soon as possible,” he noted, while adding that “I can’t help but think that making a public statement just before a major holiday may fulfil regulatory requirements, but may 'bury' the bad news from reporters.”