Western Union Web Site Is Hacked

[William Knowles <wk () C4I ORG>]

http://www.washingtonpost.com/wp-srv/aponline/20000910/aponline195401_000.htm

By Steve Gutterman
Associated Press Writer
Sunday, Sept. 10, 2000; 7:54 p.m. EDT

DENVER Western Union on Sunday said hackers made electronic copies of
the credit and debit card information of 15,700 consumers who
transferred money on the company's Web site, which was left
unprotected while undergoing maintenance.

The company began notifying affected customers via telephone and
e-mail over the weekend and by late Sunday had informed Visa and
MasterCard about which of its cardholders had been affected.

Western Union spokesman Peter Ziverts said, so far, no cases of credit
card fraud have been reported to the Englewood, Colo.-based company.
Visa International and MasterCard International Inc. have begun
monitoring customers' accounts for possible fraudulence, Ziverts said.

Western Union, a unit of Atlanta-based First Data Corp., first learned
the Web site had been hacked on Friday. The Internet-based
money-transfer service began in June, though the company was planning
an official launch of the Web site sometime this month. Ziverts said
the launch would likely be delayed.

Marc Rotenberg, executive director of the Washington-based Electronic
Privacy Information Center, said the Western Union security breach
reflects the risks to consumers as companies rush to do business on
the Internet.

"In the end, what matters to consumers is that the companies to which
they entrust their credit card numbers and personal information will
be able to safeguard that data," Rotenberg said.

Last week, American Express announced it will offer disposable credit
card numbers for safer online shopping, part of a bid to address
privacy and security issues analysts say have slowed the growth of
e-commerce.

Online money transfer accounts for an "absolutely minuscule" portion
of the company's total transactions, Ziverts said. He would not say
how much online business the company has lost due to the problem.

The Web site that was hacked www.westernunion.com also allows
customers to apply for a loan, send messages and locate the nearest
Western Union store. Customers using these services were not affected.

Western Union offers similar services on a separate Web site
www.moneyzap.com and customers using that site were not affected.

Ziverts said the problem was caused by human error and not an inherent
technical flaw systems employees conducting regular maintenance left
parts of it unprotected, allowing hackers to break in, he said. He
said it was not an inside job.

The company has not taken any disciplinary action.

The company and law enforcement were investigating the breach, but
Ziverts declined to provide further details about the probe or say
what agencies were involved. The FBI office in Denver would not say
whether it was participating.

Western Union carried out 73 million money transfer transactions
worldwide last year. Most of them are done through agents in stores
and other locations, others by phone. Only customers who used the Web
site were affected, the company said.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".