Category Archives: Breach Analysis

Unnamed Acquirer Processor Breach Timeline

Here’s a timeline of what we’ve seen surrounding this vaguely disclosed breach. First, some terms:

CAMS: This is an acronym for a Visa implemented system, the “Compromised Account Management System”. Alerts are distributed via this system to banks and other financial institutions to facilitate card reissuing and fraud detection. Mastercard also issues similar alerts.

Card Not Present: This term means exactly what you think it does. The card was not physically present during the transaction. This is typical in online shopping, telephone sales, etc.

UPDATE | February 11th, 2009: VISA blasts out a CAMS notice, which has been contributed to OSF anonymously:

“Date: February 11, 2009 Entity Type: Acquirer Processor – Fraud Reported: Yes, elevated fraud rates on this event Visa Fraud Control & Investigations has been notified of a confirmed network intrusion that may have put Visa account numbers at risk. The reported incident involves confirmed unauthorized access to a U.S. acquirer processors settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. No magnetic stripe track data has been identified at risk in this alert. Fraud analysis has revealed elevated card-not-present fraud rates on this incident. Even though it is not known if any account information was actually removed during the intrusion, we must still consider the data to be at risk because of the elevated fraud. Based on the forensic investigative findings, the entity began storing PANs and expiration dates in February 2008. The forensic investigation is ongoing. Any new material information will be provided in a CAMS update to better assist you with fraud and risk mitigation.”

February 11th, 2009: Fiserv blasted out this alert to their customers (banks, credit unions, processors, etc). We were tipped on this by multiple sources. The statement reads:

“The Risk Office Team has received information from Visa and MasterCard regarding the confirmed compromise of a U.S.-based acquirer processor. Please note that the compromised card alerts for this event are not related to the Heartland Data Systems’ breach. Given that confirmation of the Heartland breach and this new compromise occurred in such close proximity, it’s possible that the same card numbers could appear on compromised card lists associated for both events. You may wish to take this into consideration as you execute your organization’s monitoring and/or reissue plans for recently compromised cards.”

February 12th, 2009: The Community Bankers Association of Illinois posts a notice that included the following:

“Today, VISA announced that an unnamed processor recently reported that it had discovered a data breach. The processor’s name has been withheld pending completion of the forensic investigation…”

Between 2-11 and 2-13: The Tuscaloosa Federal Credit Union releases a notice regarding the incident that reads:

“On the heels of the Heartland Payment Systems breach, another U.S. acquirer-processor has confirmed a network intrusion exposing primary card numbers and card expiration dates for card-not-present (CNP) transactions. Unlike the Heartland Payment breach, this breach does not expose magnetic stripe track data. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor’s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor. It is important to note that this event is not related to the Heartland Payment Systems breach.”

February 13th, 2009: The Independent Community Bankers of America releases this on their website:

“ICBA learned of another security breach involving a merchant processor. The breach appears to be large, but not as large or severe as the recent breach at Heartland Payment Systems. The name of the breached processor is unknown at this time, but ICBA knows that: All accounts and all brands were equally exposed; however, only card numbers and expiration dates were captured. No track data was captured. Because there is no evidence of skimming counterfeit and all known fraudulent transactions have been key entered, Visa’s ADCR program will not cover losses. However, compliance and “card not present” (depending on status of VbyV/SecureCode) chargeback rights should apply. MC issuers must file via compliance as they always do. Alerts for this new incident are being reported under Visa series US-2009-088 and MasterCard series MCA0150-US-09.”

February 13th, 2009: The Pennsylvania Credit Union Association released this statement which we’ve retrieved from google cache, as the content of the old notice is now displaying a new notice about something else. The old notice read:

“Earlier this week, Visa and MasterCard began issuing accounts involved in a merchant processor breach. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor’s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. No magnetic stripe track data has been identified at risk in this alert. As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor. It is important to note that this event is not related to the Heartland Payment Systems breach. While it has been confirmed that malicious software was placed on the processor’s platform, there is no forensic evidence that accounts were viewed or taken by the hackers. Since the final forensic report has not been provided there is no estimate available at this time of the number of accounts involved in this event. Law enforcement is activity engaged in an investigation into this situation. Visa began releasing affected accounts on Monday, February 9, 2009 under CAMS event series US- 2009-0088-IC. They expect to have all accounts released by Friday, February 13. MasterCard began releasing accounts on Wednesday, February 11, 2009 under MC Alert series MCA0150-US-09. They have not provided any information as to when they expect to have all their accounts released. The current window of exposure provided by both card associations is from February 2008 through January 2009. The only data elements at risk are account number and expiration date. No track data, PIN, CVV2/CVC2 data or cardholder-identifying information was captured. As in all events, it is the issuer’s decision whether or not a block and/or reissue decision is warranted. However, we would like to emphasize that this event carries a lower level of risk than the Heartland compromise.”

February 13th, 2009: We posted a blog entry regarding what we’ve been hearing from tipsters, who are usually dead on about these things, but we did so only after corroborating that the tips we’d heard we’re also being heard by others.

February 17th, 2009: The Alabama Credit Union posts a notice on their website that reads:

“Alabama Credit Union has been notified by VISA that some members’ VISA credit card information may have been discovered during a breach at a card processor’s site. VISA has not named the card processor.”

February 17th, 2009: The Bankers’ Bank of Kansas posts a notification which reads:

” Two large data compromises affecting credit and debit cards were announced the weeks of 1/21/09 and 2/09/09. BBOK BankCard actively monitors all alerts from Visa®, MasterCard®, and our processor for compromised card data….”

February 19th, 2009: The Alabama Credit Union follows up on their initial reporting with an update indicating how fraud is being committed as a result of this new breach, and it contains the following:

We have been notified by VISA that a lengthy list of VISA ATM/Debit Card numbers was included as part of a data breach at an unknown vendor’s location. VISA has declined to name the vendor or processor. The fraudulent transactions are primarily characterized as purchases of prepaid phone cards, prepaid gift cards, and money orders from Wal-Mart, and usually occur in $100 increments.

February 22nd, 2009: We posted a follow-up to our original story, with new information (some of the above timeline items) gathered from

February 24th, 2009: News reports are released about St. Mary’s Credit Union receiving notification regarding this breach. The article writes:

“A breach of a credit card processing system at St. Mary’s Credit Union yesterday affected up to 4,300 customers and likely cost the business more than $20,000….The credit union does not know the name of the processing system, but Battista said the breach likely affected people across the country…”

End of Timeline

This is what we know. Of course, there is a lot of speculation as to who the unnamed is. Our mailboxes here are on fire with speculation, and you can read the comments on some of our previous posts on the topic to see examples of it. We have no solid information regarding who the affected organization is. We do know that we’ve had two other major breaches recently involving this type of data, namely: RBS Worldpay and Heartland Payment Systems. We also know that in a statement to the consumerist, Visa and Heartland is adamant that this new breach was not them.

Ultimately, I think the banks will demand to know, considering the costs are mostly their burden to bear. But in the meantime, we wait.

Posted by d2d.

Another Heartland Payment Systems Update

As we know it today, HPS has affected banks nationwide. Many are reissuing cards, many are not. It would seem that most banks are opting to take faith in their fraud detection technology, citing in most cases that the cost to reissue would likely exceed the costs of dealing with fraudulent charges case-by-case.

The ethics of not reissuing cards is debatable. It, in many ways, puts the responsibility of reporting fraud on the shoulders of the card holders. At the same time, one can argue that banks should not be the ones forced to bear the cost burden of this breach. We’ve read estimates anywhere from $7 to $20 per card as being the cost of replacement. Given that, we can see the reluctance of banks, though we certainly don’t endorse the practice. Chances are, the banks will seek to recoup the costs in the courts.

We’ve compiled a list of banks and card issuing institutions that we’ve found, via scouring news articles, that have been reported to be affected, with a list of the number of cards reissued when the number was disclosed. Heartland won’t tell us, so we’re trying to get an idea on our own. You can view the list here:

The list, as of the time of this writing, consists of nearly 50 organizations affected, and over 200,000 records. This is likely only the very beginning, and we may or may not keep up with it, depending on how large it mushrooms.

Meanwhile, Heartland Payment Systems is now being sued, class action style. And Robert O. Carr, Heartland Chairman and CEO is under suspicion of insider trading, per the linked article (which is fantastic, read it).

Heartland continues to claim it doesn’t know how many cards are affected. This seems completely improbable. Someone knows, be it Visa, Mastercard, or Heartland, someone must know. It would appear that Visa and Mastercard are the organizations doing most of the “talking” with the card issuers, giving them lists of cards, etc. Yet, still no total. Someone knows the total, or has a rough idea.

Poted by d2d not emailing users regarding breach

According to this slashdot post, does not plan on notifying users regarding its recent account security breach.

Granted, they’ve listed a fairly prominent Security Notice on their home page, but it seems a little irresponsible to not email their clients, or automatically force a password change for these accounts. I suspect most institutions would do that by default in the event of a compromise.

Last time was breached (in 2007), they supposedly snail mailed millions of users warning them, worried that users wouldn’t trust email as a result of the breach. Perhaps they’ll snail mail again?

Posted by d2d.

Heartland Payment Systems Breach Update

As many can tell by now, the breach has snowballed significantly, finding its way into hundreds of news articles, mostly containing the same information with slightly different wording. What follows is a time line as experienced by OSF, Data Loss DB, and our volunteers.

About a week ago, we heard “whispers”, what we call tips from folks who wish to remain anonymous, that something large had occurred with First Data. We did some degree of research, but came up with nothing, and moved on to our other duties.

Monday of this week, we discovered through our feeds this article mentioning First Data. Red flags a plenty came up, as its rare that a “whisper” goes much beyond a “whisper”. We immediately got in contact with those who wrote the article, and they indicated that they could get little information from First Data regarding the situation. We then began searching for data on other banks to see what we could find, and we came up with at least 5 other small banks posting notices regarding credit/debit cards. We wrote a brief post about what we thought we were seeing, and updated it as things changed.

We knew we had stumbled onto something large, but we thought it was involving First Data. The verdict is still out on whether Forcht Bank had anything to do with Heartland, as there are very conflicting reports about this, but our assumption for the time being is that it is the same breach.

We sounded alarms, and contacted several reporters and bloggers that we had worked with in the past. One or two articles later, the cat was out of the bag, and Heartlandissued a public statement regarding their breach. From there, other media outlets fed on the news, and here we are.

At this time, banks around the country are being notified, and are issuing new cards to their customers. We still have no total number affected, but there has been speculation of 100 million cards. Some are speculating that the total may end up being larger. If it is that high or higher, it would be the largest data loss incident ever reported. It is being reported that fraud is being attributed to this breach.

There are still significant questions that are unanswered, such as: How many people were affected, are we seeing more than one breach, and how exactly did this happen?. We know it has been attributed to malicious software or something of that nature, but the “how” question is more along the lines of, how did PCI-DSS required controls not stop this from happening?

Posted by d2d

But…Who is it really?

Update: This is looking like it isn’t a breach at a retailer, but a breach at a card processor. This is till unfolding, and could be unrelated to this, but it is increasingly looking like Heartland Payment Systems is the source. If anyone has evidence of any kind linking the Heartland breach to the these banks, drop us an email.

A recent article suggests that a major retailer has had a significant breach, affecting thousands of card holders. The breach apparently involves a merchant of First Data Corporation, the organization that runs the STAR debit/ATM network. It may also be affecting customers of banks around the country.

The question is, who is this major retailer? We’re hearing rumblings that this is a significant breach. Unfortunately, those covering it thus far haven’t quite dug up that information.

This isn’t the first time we’ve heard of a retailer having a problem, only to never find out the retailer’s name, but this one seems more significant than those before. We heard similar rumblings before the Hannaford incident.

Update: This article may be related?

What would a card processor gain by protecting the identity of an offending merchant? Several theories have been put forth. In a bad economy, it could be their desire not to negatively affect an already beaten down consumer confidence. Or perhaps it could be to protect the retailer, again given the economy. Or perhaps there is more to it, perhaps the retailer in question were PCI compliant, and disclosure of the retailer would bring about additional criticism for PCI’s Data Security Standard.

And what of breach notification laws? Does forcing the banks (who know little to no details) to send out notifications, in place of the offending merchant, comply with the laws? Or does it circumvent the spirit of them? Are data breach notification laws in existence just to notify consumers of fraud, or are they also meant to help consumers make safer choices with who they do business with?

Hopefully someone will shed a little light on this situation in the near future.

Posted by d2d

The Curious Case of Express Scripts

The recent Express Scripts breach is a fascinating one. It would appear to involve an extortion letter sent first to Express Scripts detailing the personal information of several customers’ customers. It then evolved to include extortion letters to Express Scripts customer-organizations likeToyota, and supposedly others:

“Subsequently, Express Scripts has become aware that a small number of its clients recently received letters threatening to expose the personal information of its members.”, per the web site setup to provide information about the incident.

In truth, the website appears to provide little information at all, and given that Express Scripts provides services to some 50 Million people, this breach could soon find its way on our top ten list.

Posted by d2d

Virtual Heist Nets 500,000+ Bank, Credit Accounts

Courtesy [Infowarrior] – Richard Forno

Sat, 01 Nov 2008 08:08:47 -0700…

A single cyber crime group has stolen more than a half million bank, credit and debit card accounts over the past two-and-a-half years using one of the most advanced strains of computer spyware in existence, according to research to be published today. The discovery is among the largest stolen data caches ever recovered.

Researchers at RSA’s FraudAction Research Lab unearthed the massive trove of purloined data while tracking the activities of a family of spyware known as the “Sinowal” Trojan, designed to steal data from Microsoft Windows PCs.

RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks. The company says the cache was the bounty collected from computers infected with Sinowal going back to February 2006.

“Almost three years is a very, very long time for just one online gang to maintain the lifecycle and operations in order to utilize just one Trojan,” said Sean Brady, manager of identity protection for RSA, the security division of EMC. “Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006.”

To subscribe OSF’s Data Loss Mail List, send a mail to:

Posted by Lyger