Over on The Breach Blog, Evan was as confused as I was by Forcht’s Bank notification and description of the breach involving their customers’ debit cards.
Forcht had written to its customers on Jan. 12:
We have just been informed by our debit card processor, STAR, that a retail merchant processor’s information who housed information for several merchants may have been compromised and that some unknown persons are possibly creating duplicate debit cards.
Evan commented:
This wording is confusing. Who is “a retail merchant processor’s information who housed information for several merchants”? Is it Heartland Payment Systems? Is this related to the recent Heartland Payment Systems breach or is this a breach occurring within STAR’s network?
To add to our confusion, on Jan. 19th, the Times Tribune had published a story with the headline, “Hackers break into STAR and ATM Network.” That headline was quietly replaced without note at some later point with “Hackers affect debit and ATM networks.” In the story, a Forcht spokesperson was cited as saying that a “retail merchant’s computer system was hacked.”
A First Data corporate spokesperson provided the following statement on Jan. 21st when I contacted them over the apparent discrepancies and inquired as to whether First Data’s notification to Forcht was about Heartland or another breach:
The STAR Network was not compromised. When the STAR Network was informed of a potential industry issue last week, it notified its member financial institutions about the issue as standard procedure in order to protect debit card holders from fraud. As a network administrator, it is STAR’s responsibility to convey relevant industry information to its
members.We understand that there is a continuing investigation and additional questions should be directed to MasterCard or Visa.
Although the odds are that this is related to the Heartland breach, we still can’t be sure because another bank also notified its customers that they had been informed by MasterCard of a breach involving a retail merchant. MasterCard has not responded to an inquiry as to whether they notified some banks and credit unions of a large-scale breach involving a retail merchant and if so, whether that was correct or an error.
Excellent follow-up. Good work!
Companies are much better at communicating good news than they are at communicating the bad, aren’t they?