CardSystems Data breach case

by tirial

in 2005 the CardSystems case resulted in increased attention to the issue of data breach. It was the first high-profile case where card issuers withdrew the right to process cards.

The most famous data breach is probably the TJX case with over 45million credit cards compromised. However in 2005, two years earlier, the CardSystems case resulted in increased attention to the issue of data breach. It was also the first high-profile case where the card issuers resorted to their final recourse against a company in a data theft case.

The Card Systems Case

A high profile target

CardSystems, as a credit card processor and aggregator who processed cards for most of the major processors, was a high profile target for this sort of fraud.

As a result, they were told they had to comply with data security standards. CardSystems contacted an auditor and in June 2004 they were certified as compliant. Relevant to the case, this standard certified that they were following a high standard of security and data was encrypted.(wired.com 2005 via archive.org)

On June 17th 2005 Mastercard disclosed that there had been a major data breach at CardSystems (Securityfocus). The issue of who discovered the fraud has been debated. CardSystems claimed they discovered it, while Mastercard stated that they tracked it back externally (CNN).

The result was the same. 40 Million credit cards had been compromised.

Firewall, Conceptual Computer Artwork
Ad AllPosters

How it was done - a SQL injection attack

The Card Systems data breach

As with an increasing number of cases, the CardSystems case appears to have been an external fraud with no inside help.

Internet news quotes a statement covering the hack, but more information is available from Xiom and The FTC Complaint. Here is a summary:

It appears that a hacker or hackers gained access to the system through a web application which customers used to access their own data. They used a SQL injection attack, where a small snippet of code is inserted onto the database through the front end (browser page). Once inserted onto the server the code ran every four days. It gathered credit card data from the database, put it in a file (zipped to reduce size) and sent it to the hackers via FTP.

Three such files were downloaded, with over 200,000 credit card details in them.

The question of Compliancy

Was CardSystems PCI DSS compliant?

This caused an uproar.

SQL injections can be as simple as copying and pasting code into a box on a form on a webpage. They are stopped comparatively easily by properly designed applications, a web firewall, or many other ways. These safeguards are required by the standard CardSystems was allegedly in compliance with. The fact an injection attack got through raised questions over their firewall.

Further, CardSystems had been storing the data for research in an unencrypted format. All credit card data must be encrypted by the standards requirements, and destroyed once it is no longer needed for the transaction.

The investigation found that CardSystems did not appear to be compliant with the standard.

Withdrawal of Services

Visa and Amex close the doors

On the 19th July 2005 Visa, unhappy with the corrections CardSystems had made following the breach, announced that it was withdrawing the right for CardSystems to process payments on its behalf. It gave the banks that had used them until October to find another payment processor.

This was the final recourse of any of the card providers, and using it caused a stir. CardSystems stated that they hoped Visa would reconsider, only for Amex to follow Visa's lead a few days later. (Opinion piece)

With the loss of two of the major providers and the banks that took those cards taking business elsewhere, CardSystems' future was in doubt.

The sale of CardSystems

After the withdrawal

With Visa and Amex both pulled out, Card Systems could not be saved as a going concern. Mastercard had given them until August 31st to reach PCI DSS compliance, with the unspoken threat of fines, or following suit with Visa and Amex.

The new security head, Joe Christensen, had to try to make CardSystems PCI compliant to make the company viable for sale. With an extensive client list, it would be a good takeover target, as long as they could ensure it really was compliant. (searchsecurity)

The deadlines were extended twice for compliancy - first to 31st October, then 31st January. With increased sceruity and staff training, CardSystems became an attractive prospect to buy, and eventually the company was acquired by Pay-by-touch in 2005.

Far reaching effects

Ongoing issues

The case opened up a can of worms, and the legal effects are still ongoing.

The question of liability was tricky. Because of a law change, card-owners have to be notified if their card is stolen. This raised the hotly debated and ongoing question of who notifies them and who is liable for the cost.

CardSystems and its purchaser face independent security audits every other year for the next twenty years.

Four years later, in May 2009, the case made the news again. One of the banks affected began a lawsuit against Savvis, the auditors who stated that CardSystems was compliant. (Wired, June 2009) They estimate the case cost them nearly £16M.

 

The results of the Case

Savis vs. Merrik Bank

The case was dismissed or settled on 23rd Dec 2010 depending on what sources you read, ( Wired March 2014 , SecurityCurrent April 2014) and the papers were sealed, making it very difficult to find details of the result. It is back in the news after the Target hack once again raised the issue of whether security auditors who failed to spot a hack in progress are liable.

A timeline in Articles

The Card Systems case as it progresses

If you would like to know more about the case, as well as the articles I have linked to throughout, here are a few others used for background detail.

Please note the last article deals with the Savvis Lawsuit, where one of the banks is now suing CardSystems auditor.

PCI DSS resources and Books

Achieveing the security standard

The Payment Card Industry Data Security Standard is designed to prevent events such as the CardSystems case from occurring again. If you are a company which accepts or processes cedit cards, it is something you need to look into.

If you are investigating PCI DSS Compliance for your company, here are the latest books from Amazon. These might help you gain an overview of the standard. There is also the official site:

The PCI DSS Official Site

www.pcisecuritystandards.org

PCI Compliance, Fourth Edition: Understand and Implement Effective PCI Data Security Standard Com...

Identity theft and other confidential information theft have now topped the charts as the leading cybercrime. In particular, credit card data is preferred by cybercriminals. Is ...

View on Amazon

PCI DSS a Pocket Guide (Compliance)

All businesses that accept payment cards are prey for hackers and criminal gangs trying to steal payment card details and commit identity fraud. The PCI DSS (Payment Card Indust...

View on Amazon

Protecting your information

What you can do as an individual

While cases like CardSystems may make it seem as though there is little you can do to protect your data, this is not true. Identity theft can happen as simply as someone going through your rubbish for old bank statements.

To protect yourself, here are some books that can help:

Identity Theft For Dummies

Practical solutions to help you deter, detect, and defend against identity theft In 2008, 9.9 million Americans became victims of identity theft. The cost exceeded $48 billion i...

View on Amazon

In conclusion

The Card Systems case was overshadowed by the TJX case, and now the revelations about Heartland and RBS. Are there any comments about the case, questions that the lens raises, or anything you think I've missed? Let me know here.

Comments from the old guest book

This article has moved from Squidoo to this page

billyaustindillon 4 years ago

Excellent article thanks 5*


anonymous 4 years ago

Thank you


shreddingdallas 3 years ago

Your private information can be misused and it is up to them to surrender the files if needed or to properly shred them so that no one else can gain access to them. For instance, shredding San Antonio service providers should be able to guarantee to their clients that their private documents are properly shredded.


inhousefinancing 3 years ago

It is unacceptable that a large credit card company would put their clients at risk by using unencrypted software and website access. Which raises a very important point. I fervently buy on the Internet all the time an encourage others to do so since it is actually safe than handing your credit card to a person at a retail establishment. Just keep in mind that the website address you are using to pay with your credit card is the following: (https:). Make absolutely sure that the (s) without the quotes is in the beginning protocol. If it is, you have nothing to worry about. Good shopping.


vancrideout 2 years ago

Yes, this is a very big risk when it comes to money were talking about.

 

anonymous 2 years ago

Great Lens!! This will really help me..excellent information!! Thanks so much!!

 

Vortrek Grafix profile image

Vortrek Grafix 22 months ago

The importance of PCI DSS compliance can not be understated. While there are useful guidelines, breaches are typically the result of lax implementation and\or enforcement of security policy. Good topic.

 
Updated: 01/31/2015, tirial
 
Thank you! Would you like to post a comment now?
1

Comments

Only logged-in users are allowed to comment. Login

You might also like

How to Stop Unwanted Emails

In this article we will look at how to stop unwanted emails and how to protec...

TJX Data loss and security breach case

The TJX Case was one of the largest data theft cases so far. Over 45 million ...


Disclosure: This page generates income for authors based on affiliate relationships with our partners, including Amazon, Google and others.
Loading ...
Error!