Forty Million Stolen Identities Later: Learning from CardSystems' Breach
After the largest known compromise of personal information, the FTC details the information security failures that helped caused it.
How do you compromise 40 million identities?
Start by storing sensitive credit card information, against regulations and in violation of accepted business practices. Store that information in unencrypted format. Don't monitor the network for intrusions. Finally, for the corporate PCs containing the sensitive information, don’t patch known vulnerabilities or use inexpensive security software or strong authentication to protect them.
If this sounds familiar, that's because it describes credit card processor CardSystems, which gained notoriety last year when attackers broke into its network and accessed more than 40 million credit card numbers, resulting in millions of dollars in fraudulent transactions, banks having to cancel numerous cards, many merchants not getting reimbursed for fraudulent purchases, and potentially millions of consumers subject to identity theft.
Details of CardSystems’ poor information security practices, which led to the security breach, emerged when the Federal Trade Commission (FTC) recently announced the terms of its settlement with the privately held company over what it characterizes as the “largest known compromise of financial data to date.”
Learning from CardSystems
What led to such a massive security breach? CardSystems offered credit card authorization processing for small and mid-size merchants. Last year the company processed about 210 million purchases via credit cards, totaling more than $15 billion for over 119,000 merchants. “In processing these transactions, CardSystems collected personal information from the magnetic strip of the card, including the card number, expiration date, and other data,” says the FTC. “CardSystems then stored this information on its computer network.”
Storing this credit card information violated several regulations, including MasterCard, Visa, and FTC security requirements. “CardSystems kept information it had no reason to keep and then stored it in a way that put consumers’ financial information at risk,” notes Deborah Platt Majoras, chairman of the FTC, in a statement. “Any company that keeps sensitive consumer information must take steps to ensure that the data is held in a secure manner.”
CardSystems was unaware its network had been hacked, and the credit card information stolen, until MasterCard traced back to it multiple identity thefts. In its defense, CardSystems said the sensitive information was stored “for research purposes” and blamed its auditor.
According to the FTC, however, there were six broad information security problems at CardSystems:
- creating unnecessary risks by storing sensitive credit card information
- failing to monitor the network for known vulnerabilities, including “Structured Query Language” injection attacks
- failure to “implement simple, low-cost, and readily available defenses to such attacks”
- lack of strong password use to prevent attackers that penetrated network defenses from easily breaking into other computers on the network
- not using “readily available security measures” to isolate PCs in the network from the Internet, or from each other
- insufficient measures for detecting unauthorized access to sensitive information or conducting security investigations
The CardSystems breach highlights the effect poor information security practices can have on a company’s bottom line. For example, after the breach, Visa and American Express ceased doing business with CardSystems, and the FTC began an enforcement action, its first against a credit card processor, though the ninth involving “alleged failures to secure credit and debit card information,” it says.
Beyond this action, “as in the prior cases, CardSystems faces potential liability in the millions of dollars under bank procedures and in private litigation for losses related to the breach,” notes the FTC. In particular, CardSystems was named in a class action lawsuit, along with Merrick Bank, Visa, and MasterCard, to compensate the consumers and merchants affected by the breach.
Technically, CardSystems also went out of business. In December 2005, all of CardSystems’ assets were sold to Pay By Touch Payment Solutions LLC. Yet that’s not the end of the story. As the FTC notes, “Pay By Touch uses CardSystems’ former employees, equipment, and technology to process transactions for the same merchants CardSystems served.” Like CardSystems, Pay By Touch is also a registered agent of Merrick Bank.
Under the terms of the FTC’s settlement—now open for public comment—Pay By Touch must “establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards.” Furthermore, it must have a neutral, objective third-party security audit conducted within 180 days, and then every other year, for 20 years.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.