DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

And the rumor mills kick into higher gear

Posted on February 24, 2009 by Dissent

For the past few weeks, some of us have been in communication about reports about a second big processor breach. The good folks over at Open Security Foundation (OSF) went public on February 13 that they were getting multiple tips about the breach. This site was also hearing some of the same reports (perhaps from some of the same sources), but we were all pretty much stuck without actual confirmation that we could cite. Unlike the Heartland breach where we started finding banks in disparate areas reporting breaches, we simply weren’t finding anything yet on the more recent breach.

On Saturday, I was able to locate independent confirmation of the breach. I started posting the notices that I had uncovered, and alerted OSF’s Dave Shettler and other interested parties. The following day, Dave blogged more about the second breach. By Monday, mainstream media had picked up the story and the rumor mills as to the source of the breach kicked into high gear in some quarters.

Thanks to a more recent credit union notice that Jai Vijayan of Computerworld uncovered from the Alabama Credit Union, we now know that this is not just credit cards that have been affected, but that the breach also appears to involve “long lists” of compromised ATM/debit cards. Visa and MasterCard remain mute about the source of the breach, although once the confirmation was found, Visa confirmed to Computerworld that a processior “experienced a compromise of payment card account information from its systems,” and MasterCard’s statement referred to the processor as being in the U.S.

So far neither this site nor OSF has speculated publicly about who the unnamed processor might be, other than to indicate that all signs point to it being a large processor. The recent revelation that the breach also involved ATM/Debit cards and not just card-not-present fraud changes the pool of possible candidate processors.

Whatever happens, it is clear that hackers have figured out how to successfully gain access to tremendous databases of usable data. Following the Heartland breach, Heartland indicated that it was reaching out to others in the industry to promote better sharing of information and end-to-end encryption to prevent problems. But the question remains: how did hackers gain access to the internal network and evade detection for so long? Earlier today, Breach released its annual report, Web Hacking Incidents Database 2008, noting how little we know because of failures to disclose more information that would enable people to prevent problems:

Resistant to Public Disclosure – Most organizations are reluctant to publicly disclose the details of the compromise for fear of public perception and possible impact to customer confidence or competitive advantage.

In many cases we feel that this lack of disclosure, apart from skewing statistics, prevents fixing the root cause of the problem. This is most noticeable in malware-planting incidents, in which the focus of the remediation process is removing the malware from the site rather than fixing the vulnerabilities that enabled attackers to gain access in the first place.

Hopefully, Heartland is sharing specific information with other processors so that they can bring in forensic experts to review their systems to determine if they, too, may have been breached without it ever being detected. But as one bank security expert reminded me recently, end-to-end encryption doesn’t prevent intrusion and assuming that entities are, indeed, compliant with PCI-DSS, the standards probably need revision. Heartland’s compliance with PCI-DSS standards is currently under review.

In the meantime, this site will not speculate on who the “Unnamed Processor” might be, although I have been informed that one of the entities whose name has been suggested on other web sites or in other media coverage has flatly denied being breached. It is also not clear to me (yet) whether this unnamed processor breach is related to another series of fraud reports I have started investigating or whether those reports represent yet another processor breach that was never reported in the mainstream media or to the public. It’s getting so that I need a scorecard to keep the breaches straight, and that’s not good. And my real fear is that most processors have already been breached but just haven’t detected it out yet.

Related posts:

  • Heartland in $60 mln settlement agreement with Visa
  • NYS Consumer Protection says “Action Needed in Heartland Breach”
  • More details on the second processor breach (corrected and updated)
  • Heartland lawsuit plaintiffs go after acquiring banks’ deep pockets
Category: Breach Incidents

Post navigation

← Heartland Payment System reports 4th Quarter Gains
Ca: Clients of Yorkville spa have debit info stolen →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.