Unnamed Acquirer Processor Breach Timeline, some additional confirmation

[David Shettler <dave () opensecurityfoundation org>]

(see the blog for links to all the things mentioned)

http://datalossdb.org/incident_highlights/23-unnamed-acquirer-processor-breach-timeline

Here's a timeline of what we've seen surrounding this vaguely
disclosed breach. First, some terms:

CAMS: This is an acronym for a Visa implemented system, the
"Compromised Account Management System". Alerts are distributed via
this system to banks and other financial institutions to facilitate
card reissuing and fraud detection. Mastercard also issues similar
alerts.

Card Not Present: This term means exactly what you think it does. The
card was not physically present during the transaction. This is
typical in online shopping, telephone sales, etc.

February 11th, 2009: Fiserv blasted out this alert to their customers
(banks, credit unions, processors, etc). We were tipped on this by
multiple sources. The statement reads:

"The Risk Office Team has received information from Visa and
MasterCard regarding the confirmed compromise of a U.S.-based acquirer
processor. Please note that the compromised card alerts for this event
are not related to the Heartland Data Systems’ breach. Given that
confirmation of the Heartland breach and this new compromise occurred
in such close proximity, it’s possible that the same card numbers
could appear on compromised card lists associated for both events. You
may wish to take this into consideration as you execute your
organization’s monitoring and/or reissue plans for recently
compromised cards."

February 12th, 2009: The Community Bankers Association of Illinois
posts a notice that included the following:

"Today, VISA announced that an unnamed processor recently reported
that it had discovered a data breach. The processor’s name has been
withheld pending completion of the forensic investigation..."

Between 2-11 and 2-13: The Tuscaloosa Federal Credit Union releases a
notice regarding the incident that reads:

"On the heels of the Heartland Payment Systems breach, another U.S.
acquirer-processor has confirmed a network intrusion exposing primary
card numbers and card expiration dates for card-not-present (CNP)
transactions. Unlike the Heartland Payment breach, this breach does
not expose magnetic stripe track data. The reported incident involves
confirmed unauthorized access to a U.S. acquirer processor’s
settlement system of stored transaction information that included
Primary Account Numbers (PANs) and expiration dates. As the entity
involved has not yet issued a press release, Visa and MasterCard are
unable to release the name of the merchant processor. It is important
to note that this event is not related to the Heartland Payment
Systems breach."

February 13th, 2009: The Independent Community Bankers of America
releases this on their website:

"ICBA learned of another security breach involving a merchant
processor. The breach appears to be large, but not as large or severe
as the recent breach at Heartland Payment Systems. The name of the
breached processor is unknown at this time, but ICBA knows that: All
accounts and all brands were equally exposed; however, only card
numbers and expiration dates were captured. No track data was
captured. Because there is no evidence of skimming counterfeit and all
known fraudulent transactions have been key entered, Visa's ADCR
program will not cover losses. However, compliance and “card not
present” (depending on status of VbyV/SecureCode) chargeback rights
should apply. MC issuers must file via compliance as they always do.
Alerts for this new incident are being reported under Visa series
US-2009-088 and MasterCard series MCA0150-US-09."

February 13th, 2009: The Pennsylvania Credit Union Association
released this statement which we've retrieved from google cache, as
the content of the old notice is now displaying a new notice about
something else. The old notice read:

"Earlier this week, Visa and MasterCard began issuing accounts
involved in a merchant processor breach. The reported incident
involves confirmed unauthorized access to a U.S. acquirer
processor’s settlement system of stored transaction information that
included Primary Account Numbers (PANs) and expiration dates. No
magnetic stripe track data has been identified at risk in this alert.
As the entity involved has not yet issued a press release, Visa and
MasterCard are unable to release the name of the merchant processor.
It is important to note that this event is not related to the
Heartland Payment Systems breach. While it has been confirmed that
malicious software was placed on the processor’s platform, there is
no forensic evidence that accounts were viewed or taken by the
hackers. Since the final forensic report has not been provided there
is no estimate available at this time of the number of accounts
involved in this event. Law enforcement is activity engaged in an
investigation into this situation. Visa began releasing affected
accounts on Monday, February 9, 2009 under CAMS event series US-
2009-0088-IC. They expect to have all accounts released by Friday,
February 13. MasterCard began releasing accounts on Wednesday,
February 11, 2009 under MC Alert series MCA0150-US-09. They have not
provided any information as to when they expect to have all their
accounts released. The current window of exposure provided by both
card associations is from February 2008 through January 2009. The only
data elements at risk are account number and expiration date. No track
data, PIN, CVV2/CVC2 data or cardholder-identifying information was
captured. As in all events, it is the issuer’s decision whether or
not a block and/or reissue decision is warranted. However, we would
like to emphasize that this event carries a lower level of risk than
the Heartland compromise."

February 13th, 2009: We posted a blog entry regarding what we've been
hearing from tipsters, who are usually dead on about these things, but
we did so only after corroborating that the tips we'd heard we're also
being heard by others.

February 17th, 2009: The Alabama Credit Union posts a notice on their
website that reads:

"Alabama Credit Union has been notified by VISA that some members'
VISA credit card information may have been discovered during a breach
at a card processor's site. VISA has not named the card processor."

February 17th, 2009: The Bankers' Bank of Kansas posts a notification
which reads:

" Two large data compromises affecting credit and debit cards were
announced the weeks of 1/21/09 and 2/09/09. BBOK BankCard actively
monitors all alerts from Visa®, MasterCard®, and our processor for
compromised card data...."

February 19th, 2009: The Alabama Credit Union follows up on their
initial reporting with an update indicating how fraud is being
committed as a result of this new breach, and it contains the
following:

We have been notified by VISA that a lengthy list of VISA ATM/Debit
Card numbers was included as part of a data breach at an unknown
vendor's location. VISA has declined to name the vendor or processor.
The fraudulent transactions are primarily characterized as purchases
of prepaid phone cards, prepaid gift cards, and money orders from
Wal-Mart, and usually occur in $100 increments.

February 22nd, 2009: We posted a follow-up to our original story, with
new information (some of the above timeline items) gathered from
databreaches.net.

February 24th, 2009: News reports are released about St. Mary's Credit
Union receiving notification regarding this breach. The article
writes:

"A breach of a credit card processing system at St. Mary's Credit
Union yesterday affected up to 4,300 customers and likely cost the
business more than $20,000....The credit union does not know the name
of the processing system, but Battista said the breach likely affected
people across the country..."

End of Timeline

This is what we know. Of course, there is a lot of speculation as to
who the unnamed is. Our mailboxes here are on fire with speculation,
and you can read the comments on some of our previous posts on the
topic to see examples of it. We have no solid information regarding
who the affected organization is. We do know that we've had two other
major breaches recently involving this type of data, namely: RBS
Worldpay and Heartland Payment Systems. We also know that in a
statement to the consumerist, Visa and Heartland is adamant that this
new breach was not them.

Ultimately, I think the banks will demand to know, considering the
costs are mostly their burden to bear. But in the meantime, we wait.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss