Thousands of Credit Card Details Cached in Google

An Australian working in the IT industry has stumbled upon a cached website containing the complete details of around 22,000 credit cards. Most of them belong to US and UK citizens and are issued by Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus.

According to ITnews Australia, the man has discovered the cached page after receiving a Google alert for a particular name. "The alert started with a bunch of other numbers, so I went to the web page and it was just a virtual directory listing with a bunch of directories underneath and a load of files inside," he says.

The IT worker speculated that the website might have served as a payment gateway for various retailers and suppliers, because of the directory listing, which included the names of numerous UK and US companies. Security experts disagree with this conclusion. Given that the website used to be registered to an individual from Vietnam, it's more likely that this was a dump server used by carders, they argue.

The details include cardholder names and addresses, credit card numbers, expiry dates, and even the CVV2 security codes. Filtering out the cards that have expired results in a number of almost 19,000 that could still be active.

After unsuccessfully attempting to contact Visa and Mastercard, the discoverer posted his findings on Whirlpool, a popular Australian IT website. The site's administration has deleted the discussion thread at the request of the Australian Federal Police, which is investigating the case, and has contacted the affected Australian cardholders and the companies that have issued the cards.

A Visa spokesperson has announced that the company has also launched an investigation, but no other details are available at the moment. Rik Ferguson, solutions architect at anti-virus vendor Trend Micro, tells The Register that, "From the moment this content was made public, Trend Micro have been working to help Google, over the course of the weekend, to identify and remove all the offending information."

The cached page was still available long after this story came out and anyone with a bit of experience in complex search queries could have figured out the link. "Google can sometimes be a victim of its own effectiveness, having indexed all available content from the criminal's dump server in Vietnam they inadvertently made thousands of UK credit card details available to the casual browser by serving them up from their own cache," Mr. Ferguson explained.