The most famous data breach is probably the TJX case with over 45million credit cards compromised. However in 2005, two years earlier, the CardSystems case resulted in increased attention to the issue of data breach. It was also the first high-profile case where the card issuers resorted to their final recourse against a company in a data theft case.
CardSystems Data breach case
in 2005 the CardSystems case resulted in increased attention to the issue of data breach. It was the first high-profile case where card issuers withdrew the right to process cards.
The Card Systems Case
A high profile target
CardSystems, as a credit card processor and aggregator who processed cards for most of the major processors, was a high profile target for this sort of fraud.
As a result, they were told they had to comply with data security standards. CardSystems contacted an auditor and in June 2004 they were certified as compliant. Relevant to the case, this standard certified that they were following a high standard of security and data was encrypted.(wired.com 2005 via archive.org)
On June 17th 2005 Mastercard disclosed that there had been a major data breach at CardSystems (Securityfocus). The issue of who discovered the fraud has been debated. CardSystems claimed they discovered it, while Mastercard stated that they tracked it back externally (CNN).
The result was the same. 40 Million credit cards had been compromised.
How it was done - a SQL injection attack
The Card Systems data breach
As with an increasing number of cases, the CardSystems case appears to have been an external fraud with no inside help.
It appears that a hacker or hackers gained access to the system through a web application which customers used to access their own data. They used a SQL injection attack, where a small snippet of code is inserted onto the database through the front end (browser page). Once inserted onto the server the code ran every four days. It gathered credit card data from the database, put it in a file (zipped to reduce size) and sent it to the hackers via FTP.
Three such files were downloaded, with over 200,000 credit card details in them.
The question of Compliancy
Was CardSystems PCI DSS compliant?
This caused an uproar.
SQL injections can be as simple as copying and pasting code into a box on a form on a webpage. They are stopped comparatively easily by properly designed applications, a web firewall, or many other ways. These safeguards are required by the standard CardSystems was allegedly in compliance with. The fact an injection attack got through raised questions over their firewall.
Further, CardSystems had been storing the data for research in an unencrypted format. All credit card data must be encrypted by the standards requirements, and destroyed once it is no longer needed for the transaction.
The investigation found that CardSystems did not appear to be compliant with the standard.
Withdrawal of Services
Visa and Amex close the doors
On the 19th July 2005 Visa, unhappy with the corrections CardSystems had made following the breach, announced that it was withdrawing the right for CardSystems to process payments on its behalf. It gave the banks that had used them until October to find another payment processor.
This was the final recourse of any of the card providers, and using it caused a stir. CardSystems stated that they hoped Visa would reconsider, only for Amex to follow Visa's lead a few days later. (Opinion piece)
With the loss of two of the major providers and the banks that took those cards taking business elsewhere, CardSystems' future was in doubt.
The sale of CardSystems
After the withdrawal
With Visa and Amex both pulled out, Card Systems could not be saved as a going concern. Mastercard had given them until August 31st to reach PCI DSS compliance, with the unspoken threat of fines, or following suit with Visa and Amex.
The new security head, Joe Christensen, had to try to make CardSystems PCI compliant to make the company viable for sale. With an extensive client list, it would be a good takeover target, as long as they could ensure it really was compliant. (searchsecurity)
The deadlines were extended twice for compliancy - first to 31st October, then 31st January. With increased sceruity and staff training, CardSystems became an attractive prospect to buy, and eventually the company was acquired by Pay-by-touch in 2005.
Far reaching effects
The case opened up a can of worms, and the legal effects are still ongoing.
The question of liability was tricky. Because of a law change, card-owners have to be notified if their card is stolen. This raised the hotly debated and ongoing question of who notifies them and who is liable for the cost.
CardSystems and its purchaser face independent security audits every other year for the next twenty years.
Four years later, in May 2009, the case made the news again. One of the banks affected began a lawsuit against Savvis, the auditors who stated that CardSystems was compliant. (Wired, June 2009) They estimate the case cost them nearly £16M.
The results of the Case
Savis vs. Merrik Bank
The case was dismissed or settled on 23rd Dec 2010 depending on what sources you read, ( Wired March 2014 , SecurityCurrent April 2014) and the papers were sealed, making it very difficult to find details of the result. It is back in the news after the Target hack once again raised the issue of whether security auditors who failed to spot a hack in progress are liable.
A timeline in Articles
The Card Systems case as it progresses
If you would like to know more about the case, as well as the articles I have linked to throughout, here are a few others used for background detail.
Please note the last article deals with the Savvis Lawsuit, where one of the banks is now suing CardSystems auditor.
- CardSystems' Data Left Unsecured (June 2005, Wired.com via archive.org)
Visa says a company that experienced the largest credit-card security breach ever disclosed did not meet basic security standards, even though it was certified secure by Visa. By Kim Zetter.
- MasterCard fingers partner in 40m card security breach %u2022 The Register (18th June 2005)
MasterCard fingers partner in 40m card security breach
- Unauthorised research opened door to MasterCard breach %u2022 The Register (21st June 2005)
Data was held for "research" purposes
- Visa cuts CardSystems over security breach %u2022 The Register (19th July 2005)
Visa cuts CardSystems over security breach
- The CardSystems blame game (Security Focus - August 2005)
Hiring a security auditor in light of the CardSystems breach reveals quite a bit about the legal side of security consultants.
- CardSystems Sells Out After Massive Data Breach (Consumer Affairs - 19th October 2005)
CardSystems Sells Out After Massive Data Breach
- CardSystems Settles Data Breach Charges - InternetNews.com (24th February 2006)
Credit card processor agrees to tighten security practices and accepts third-party audits.
- Finextra: Savvis faces bank lawsuit over CardSystems data breach (Finextra - 26th May 2009)
Savvis faces bank lawsuit over CardSystems data breach - news story in full from Finextra
- 23rd December 2010 - Lawsuit is dismissed or settled and records sealed. Story in Security Current, April 2014 - http://www.securitycurrent.com/en/analysis/ac_analysis/dodging-the-bullet
PCI DSS resources and Books
Achieveing the security standard
The Payment Card Industry Data Security Standard is designed to prevent events such as the CardSystems case from occurring again. If you are a company which accepts or processes cedit cards, it is something you need to look into.
If you are investigating PCI DSS Compliance for your company, here are the latest books from Amazon. These might help you gain an overview of the standard. There is also the official site:
The PCI DSS Official Site
|PCI Compliance, Fourth Edition: Understand and Implement Effective PCI Data Security Standard Com...|
Identity theft and other confidential information theft have now topped the charts as the leading cybercrime. In particular, credit card data is preferred by cybercriminals. Is ...
|PCI DSS a Pocket Guide (Compliance)|
All businesses that accept payment cards are prey for hackers and criminal gangs trying to steal payment card details and commit identity fraud. The PCI DSS (Payment Card Indust...
Protecting your information
What you can do as an individual
While cases like CardSystems may make it seem as though there is little you can do to protect your data, this is not true. Identity theft can happen as simply as someone going through your rubbish for old bank statements.
To protect yourself, here are some books that can help:
The Card Systems case was overshadowed by the TJX case, and now the revelations about Heartland and RBS. Are there any comments about the case, questions that the lens raises, or anything you think I've missed? Let me know here.
Comments from the old guest book
This article has moved from Squidoo to this page
billyaustindillon 4 years ago
Excellent article thanks 5*
anonymous 4 years ago
shreddingdallas 3 years ago
Your private information can be misused and it is up to them to surrender the files if needed or to properly shred them so that no one else can gain access to them. For instance, shredding San Antonio service providers should be able to guarantee to their clients that their private documents are properly shredded.
inhousefinancing 3 years ago
It is unacceptable that a large credit card company would put their clients at risk by using unencrypted software and website access. Which raises a very important point. I fervently buy on the Internet all the time an encourage others to do so since it is actually safe than handing your credit card to a person at a retail establishment. Just keep in mind that the website address you are using to pay with your credit card is the following: (https:). Make absolutely sure that the (s) without the quotes is in the beginning protocol. If it is, you have nothing to worry about. Good shopping.
vancrideout 2 years ago
Yes, this is a very big risk when it comes to money were talking about.
anonymous 2 years ago
Great Lens!! This will really help me..excellent information!! Thanks so much!!
Vortrek Grafix 22 months ago
The importance of PCI DSS compliance can not be understated. While there are useful guidelines, breaches are typically the result of lax implementation and\or enforcement of security policy. Good topic.