Here’s a timeline of what we’ve seen surrounding this vaguely disclosed breach. First, some terms:
CAMS: This is an acronym for a Visa implemented system, the “Compromised Account Management System”. Alerts are distributed via this system to banks and other financial institutions to facilitate card reissuing and fraud detection. Mastercard also issues similar alerts.
Card Not Present: This term means exactly what you think it does. The card was not physically present during the transaction. This is typical in online shopping, telephone sales, etc.
UPDATE | February 11th, 2009: VISA blasts out a CAMS notice, which has been contributed to OSF anonymously:
“Date: February 11, 2009 Entity Type: Acquirer Processor – Fraud Reported: Yes, elevated fraud rates on this event Visa Fraud Control & Investigations has been notified of a confirmed network intrusion that may have put Visa account numbers at risk. The reported incident involves confirmed unauthorized access to a U.S. acquirer processors settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. No magnetic stripe track data has been identified at risk in this alert. Fraud analysis has revealed elevated card-not-present fraud rates on this incident. Even though it is not known if any account information was actually removed during the intrusion, we must still consider the data to be at risk because of the elevated fraud. Based on the forensic investigative findings, the entity began storing PANs and expiration dates in February 2008. The forensic investigation is ongoing. Any new material information will be provided in a CAMS update to better assist you with fraud and risk mitigation.”
February 11th, 2009: Fiserv blasted out this alert to their customers (banks, credit unions, processors, etc). We were tipped on this by multiple sources. The statement reads:
“The Risk Office Team has received information from Visa and MasterCard regarding the confirmed compromise of a U.S.-based acquirer processor. Please note that the compromised card alerts for this event are not related to the Heartland Data Systems’ breach. Given that confirmation of the Heartland breach and this new compromise occurred in such close proximity, it’s possible that the same card numbers could appear on compromised card lists associated for both events. You may wish to take this into consideration as you execute your organization’s monitoring and/or reissue plans for recently compromised cards.”
February 12th, 2009: The Community Bankers Association of Illinois posts a notice that included the following:
“Today, VISA announced that an unnamed processor recently reported that it had discovered a data breach. The processor’s name has been withheld pending completion of the forensic investigation…”
Between 2-11 and 2-13: The Tuscaloosa Federal Credit Union releases a notice regarding the incident that reads:
“On the heels of the Heartland Payment Systems breach, another U.S. acquirer-processor has confirmed a network intrusion exposing primary card numbers and card expiration dates for card-not-present (CNP) transactions. Unlike the Heartland Payment breach, this breach does not expose magnetic stripe track data. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor’s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor. It is important to note that this event is not related to the Heartland Payment Systems breach.”
February 13th, 2009: The Independent Community Bankers of America releases this on their website:
“ICBA learned of another security breach involving a merchant processor. The breach appears to be large, but not as large or severe as the recent breach at Heartland Payment Systems. The name of the breached processor is unknown at this time, but ICBA knows that: All accounts and all brands were equally exposed; however, only card numbers and expiration dates were captured. No track data was captured. Because there is no evidence of skimming counterfeit and all known fraudulent transactions have been key entered, Visa’s ADCR program will not cover losses. However, compliance and “card not present” (depending on status of VbyV/SecureCode) chargeback rights should apply. MC issuers must file via compliance as they always do. Alerts for this new incident are being reported under Visa series US-2009-088 and MasterCard series MCA0150-US-09.”
February 13th, 2009: The Pennsylvania Credit Union Association released this statement which we’ve retrieved from google cache, as the content of the old notice is now displaying a new notice about something else. The old notice read:
“Earlier this week, Visa and MasterCard began issuing accounts involved in a merchant processor breach. The reported incident involves confirmed unauthorized access to a U.S. acquirer processorâ€™s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. No magnetic stripe track data has been identified at risk in this alert. As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor. It is important to note that this event is not related to the Heartland Payment Systems breach. While it has been confirmed that malicious software was placed on the processorâ€™s platform, there is no forensic evidence that accounts were viewed or taken by the hackers. Since the final forensic report has not been provided there is no estimate available at this time of the number of accounts involved in this event. Law enforcement is activity engaged in an investigation into this situation. Visa began releasing affected accounts on Monday, February 9, 2009 under CAMS event series US- 2009-0088-IC. They expect to have all accounts released by Friday, February 13. MasterCard began releasing accounts on Wednesday, February 11, 2009 under MC Alert series MCA0150-US-09. They have not provided any information as to when they expect to have all their accounts released. The current window of exposure provided by both card associations is from February 2008 through January 2009. The only data elements at risk are account number and expiration date. No track data, PIN, CVV2/CVC2 data or cardholder-identifying information was captured. As in all events, it is the issuerâ€™s decision whether or not a block and/or reissue decision is warranted. However, we would like to emphasize that this event carries a lower level of risk than the Heartland compromise.”
February 13th, 2009: We posted a blog entry regarding what we’ve been hearing from tipsters, who are usually dead on about these things, but we did so only after corroborating that the tips we’d heard we’re also being heard by others.
February 17th, 2009: The Alabama Credit Union posts a notice on their website that reads:
“Alabama Credit Union has been notified by VISA that some members’ VISA credit card information may have been discovered during a breach at a card processor’s site. VISA has not named the card processor.”
February 17th, 2009: The Bankers’ Bank of Kansas posts a notification which reads:
” Two large data compromises affecting credit and debit cards were announced the weeks of 1/21/09 and 2/09/09. BBOK BankCard actively monitors all alerts from Visa®, MasterCard®, and our processor for compromised card data….”
February 19th, 2009: The Alabama Credit Union follows up on their initial reporting with an update indicating how fraud is being committed as a result of this new breach, and it contains the following:
We have been notified by VISA that a lengthy list of VISA ATM/Debit Card numbers was included as part of a data breach at an unknown vendor’s location. VISA has declined to name the vendor or processor. The fraudulent transactions are primarily characterized as purchases of prepaid phone cards, prepaid gift cards, and money orders from Wal-Mart, and usually occur in $100 increments.
February 24th, 2009: News reports are released about St. Mary’s Credit Union receiving notification regarding this breach. The article writes:
“A breach of a credit card processing system at St. Mary’s Credit Union yesterday affected up to 4,300 customers and likely cost the business more than $20,000….The credit union does not know the name of the processing system, but Battista said the breach likely affected people across the country…”
End of Timeline
This is what we know. Of course, there is a lot of speculation as to who the unnamed is. Our mailboxes here are on fire with speculation, and you can read the comments on some of our previous posts on the topic to see examples of it. We have no solid information regarding who the affected organization is. We do know that we’ve had two other major breaches recently involving this type of data, namely: RBS Worldpay and Heartland Payment Systems. We also know that in a statement to the consumerist, Visa and Heartland is adamant that this new breach was not them.
Ultimately, I think the banks will demand to know, considering the costs are mostly their burden to bear. But in the meantime, we wait.
Posted by d2d.
When we initially wrote about it, we were acting on a tip that was corroborated by other sources who wish to remain anonymous. What we knew at the time but couldn’t publish was that it was a “card not present” breach at an “acquirer / processor”. We’re now able to say this specifically, asanother source has come out publicly with the information (props to databreaches.net for finding this source.)
What we still don’t know is what processor has been breached. According to the aforementioned article, and as has been confirmed by our sources, VISA and Mastercard are refusing to disclose which acquirer processor had the breach, as the organization hasn’t released a public statement on it yet themselves.
We do know, from the aforementioned article and through investigative work done here as well, that the breach in question isn’t magstripe (hence card not present). The terms “card not present” have been repeatedly used by almost every source we have, and this article as well. We also know that cards affected by the Heartland breach may also have been affected by this breach, leading to some confusion at banks regarding reissuing cards.
Our questions: No magstripes? All “card not present”? Either this was a breach in a major processor’s online transactions system, or, the breach was at a major online payment processor. Those are our guesses, but, we’ve been surprised before. Also, why hasn’t the breached organization come forward? It has been “suggested” to us that some sort of a “gag” order is in effect on the topic, but we haven’t been able to ascertain whether this is an actual judicial order, or some otherwise unofficial order to keep quiet on this.
As to the size and scale of this new breach, we’re hearing mixed responses from smaller than Heartland to larger than Heartland, and given that we don’t yet have a number regarding Heartland, it seems ever more speculative as to just how big this new breach is. One thing is certain, the two breaches amount to a lot of card replacements, a lot of bankers working overtime, and a lot of consumers inconvenienced, or worse, defrauded.
More details as this unfolds, as it no doubt will.
Banks around the country are reportedly receiving warnings, and perhaps even new lists of cards to replace. This is apparently regarding another credit card processor, unrelated to Heartland Payment Systems, having a significant breach.
OSF has received multiple tips from multiple sources, all sounding nearly identical.
From what we’ve heard, this second breach is significant in scale, but we have not as of yet been told who the processor is.
Also BankInfoSecurity.com has released an article about three people being arrested for allegedly using credit cards from the Heartland Breach. And also, their list grows of institutions affected by the Heartland incident (they maintain a much more comprehensive list than we did). Hats off!
We’ll post more details as we become aware of them.
We recently sent out a FOIA request to Virginia, and received a whole slew of documents in response. We’ve since scanned and processed them, and they are now in the Primary Sources Archive.
Thank you kindly Virginia!
Of these, the ones that we’ve found to be particularly interesting are:
- Norfolk Southern – 12/17/2008 – Third Party Fraud affecting over 1500 Virginia Residents
- North Pacific – 12/23/2008 – Stolen Laptops from HR
- Federated Insurance – 12/23/2008 – Stolen Laptops affecting 107 VA residents
- Best Buy – 12/5/2008 – Third Party Payroll manager breach affects 3 VA residents
- Harolds Stores – 12/4/2008 – Third party posts file containing employee SSN’s – 24 VA residents affected
New Hampshire posted a Best Buy breach notification today for a case of employee Fraud (skimmer) in Florida, making that two separate breach notifications for Best Buy made available today.
Maryland posted the very first we’ve seen officially of Heartland breach notifications. Little if anything new is really disclosed in it, however. One interesting quote is “We are not aware of any identity theft resulting from this incident”. Credit card fraud has been widely reported, but it would appear that at least according to Heartland, credit/debit card utilization under someone else’s name does not constitute identity theft. That is likely arguable.
Posted by d2d.
Since the launch of the Primary Sources Archive, we’ve added 221 new incidents discovered from primary sources research, and 616 primary sources have been linked to incidents. 56% of the primary sources we’ve classified to date either resulted in new incidents, or were attached to incidents that came from primary sources. This highlights the tremendous value of obtaining these documents, and our efforts in scanning and classifying them.
Thanks to all who have either contributed funding, time, or primary sources themselves to the project.
On other matters, Maryland released a group of primary sources on their website recently, and we’ve classified them. Many we already had, but these are either new or updated:
- Educational Testing Service (ETS) – 2009-01-29
“Missing” laptop from office building contained personal data (names, SSNs) of unspecified people.
This is a new entry.
- MassMutual Financial Group – 2009-01-26
Accidental disclosure of client information to another client.
This is a new entry.
- SRA International – 2009-1-20
Company is notifying “all” current and former employees, as well as some clients regarding a Virus that had breached a system containing personal information.
This is a new entry.
- Hewlett Packard – 2009-1-15
The December HP breach involving a stolen laptop has been increased in size (an additional 601 MD residents affected, added to the previous 626.
- Ameriprise Financial – 2008-12-24
Vague intrusion via a third party puts Ameriprise Advisor Services (Formerly H&R Block Financial Advisors) client information at risk, including transaction information, bank information, name, address, holdings, and tax information.
This is a new entry.
- Harford Community College – 2008-12-17
Lost flash drive contains personal details of 70 workforce development students.
This is a new entry.
Posted by d2d.