Virginians get notice of card-data breach
Banks and credit unions across Virginia have sent letters to customers warning them that their credit, debit or ATM cards have been compromised.
The financial institutions took the steps because of a data breach -- believed to be the nation's largest -- linked to fraudulent activity at card processor Heartland Payment Systems Inc. in New Jersey.
The number of affected Virginians is not known yet.
The data breach has affected in some way more than 500 institutions across the nation, said Patricia Satterfield, president and chief executive officer of the 85-member Virginia Association of Community Banks.
In Virginia, "we don't know a total yet," she said. "This has been coming in waves since the January announcement."
This breach appears to be larger than the one involving retailer T.J. Maxx in 2007, which exposed the data of more than 45 million consumers, Satterfield said.
"The numbers thrown around would seem to indicate perhaps it is the largest one," said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearing House in San Diego, which tracks data breaches. "It's not really clear at this point. It's a question of how many months this thing was going on."
. . .
Some customers have not received letters yet because their banks decided just to monitor their accounts internally and shut them down if the banks, or the customers, detected fraudulent activity.
Some financial institutions, such as Central Virginia Bank in Powhatan County, have already issued new cards to customers. Others have tightened their security.
The fallout is expected to continue possibly for months as notices of affected accounts continue to roll in to financial institutions from Visa and MasterCard.
Officials from Wachovia, Bank of America, Village Bank, Central Virginia Bank, the Virginia Credit Union and Citibank confirmed that their institutions were affected in some way.
Some banks would not disclose how many accounts were exposed.
The Virginia Credit Union said it has contacted 44,000 customers whose information was exposed. Central Virginia Bank, which has nine branches, said the information of more than 2,000 of its customers was breached.
Banks across the state are buzzing about the breach, said Joseph E. Spruill III, general counsel for the Virginia Bankers Association.
Heartland Payment Systems announced the breach on Jan. 20.
Around that time, financial institutions started receiving notices regarding affected cardholders.
Heartland disclosed on its Web site that the security breach happened "during some portion of 2008." It said card numbers, expiration dates, sometimes cardholder names and data from the cards' magnetic strip were exposed.
Some people's personal identification number is embedded in the magnetic strip of their cards.
Central Virginia Bank security officer F. William Kidd said personal data is all crooks need to create a counterfeit card and use it. Already, "we discovered counterfeits being used in Florida and California" as a result of the breach.
Banks must pay to issue new cards and to reimburse any money fraudulently drained from customers' accounts.
Heartland, which processes about 100 million transactions a month for small retailers, gas stations, restaurants and midsize companies, has set up a Web site, http://www.2008breach.com, to provide information about the incident.
Its Web site said the breach is suspected to have been the work of a "widespread global cyberfraud operation."
A piece of malicious software was discovered that potentially enabled information to be compromised as it crossed Heartland's network, the company said. Forensic auditors are conducting an investigation of the incident.
Inno Eroraha, a computer forensics expert at NetSecurity Corp. in Dulles, said malicious software "was collecting data within the network and sending that information back to the mothership."
The breach did not occur at any bank or retail location where customers used their credit or debit cards to pay for purchases.
Contact Iris Taylor at (804) 649-6349 or
.
Advertisement
Reader Reactions
Great story…about 6 weeks late. The Heartland story came out on January 20th and has been covered by every major web site and other sources since then. I’ve read this story more than once but you guys put it out there today like its brand new news. Not. Better late than never Times-Dispatch. Keep up the good work.
Having worked in the field of information security assessment prior to retirement, it is good to see that forensic auditors are engaged after the fact. That said, it is particularly disturbing that an unauthorized malicious computer program was allowed to capture and transmit sensitive, confidential data back to a central location outside the network. This strongly suggests that Heartland Payment System has inadequate and ineffective internal controls to prevent, detect, and timely remove of malicious “spyware”. One wonders, too, about the adequacy and effectiveness of Heartland’s internal and external information system audit efforts. Just as one who wishes to protect his home computer from viruses and other malicious computer programs, must install and constantly update virus and malicious program detection software on his personal computer, corporation must do likewise. Those, like Heartland, whose systems store and process highly confidential and sensitive data have an even stronger duty to protect it. Firms doing business with Heartland would be well advised to reconsider whether Heartland has adopted adequate, effective, information security policies, and practices. If the conclusion is that Heartland has not, those businesses should terminate their business relationships after pursuing any and all legal remedies that might exist to force Heartland to immediately remedy the deficiencies which have led to this massive unauthorized disclosure of confidential information.
Post a Comment(Requires free registration)
- Please avoid offensive, vulgar, or hateful language.
- Respect others.
- Use the "Flag Comment" link when necessary.
- See the Terms and Conditions for details.
Advertisement