Security

By Larry Dignan  |  Posted 2005-12-13 Email Print this article Print
 
 
 
 
 
 
 

These companies—led by CardSystems—suffered some of 2005's worst data-security breaches. Learn from their examples, so you won't show up on next year's list.

? No Worries!">

The big question: What can entice companies to beef up security? Bad press and stock declines usually do the trick, but peer pressure such as the Hall of Shame can be an even more effective motivator in The Year of Living Dangerously.

it would have taken a screw-up of truly massive proportions to keep CardSystems out of the Hall of Shame. Forty million credit-card numbers were at risk after an unauthorized individual infiltrated the company's network. CardSystems discovered the breach on May 22 and called the FBI the next day.

Details about the incident are still sketchy. MasterCard, Visa, American Express and CardSystems didn't initially comment on the incident, but CardSystems later confirmed that Visa planned to cut ties to the company as of Oct. 31.

MasterCard and Visa noted soon after the breach that CardSystems violated their security protocols by storing account numbers after processing transactions. Why was CardSystems allowed to operate if it wasn't in compliance with card issuer security standards? Apparently, CardSystems met Visa's security standards in June 2004, but subsequently began holding more data than it could protect.

After it was hacked, CardSystems said it installed "enhanced/additional security procedures" such as encrypting information transmitted and stored on its network and installing a series of firewalls to prevent data leaks.

On Sept. 1, CardSystems announced that it had gotten a clean bill of health from AmbironTrustWave, an independent data security assessment firm. CardSystems CEO John Perry said in a statement that Ambiron "audited the security of our network, the steps that our 110 employees take to safeguard cardholder data, our vulnerability management program, our information security policy and our ability to regularly monitor and test our network."

A Fight for Survival

Following the data breach, CardSystems had to deal with two issues: the specter of Visa abandoning the firm, and its future as an independent company. On Sept, 23, CyberSource Corp., an electronic payment processing company based in Mountain View, Calif., signed a letter of intent to acquire CardSystems for an undisclosed amount.

CyberSource intended to buy CardSystems' payment processing platform and connections to banks and credit-card networks that process transactions for 120,000 merchants. That deal, however, fell apart on Oct. 15 over "the inability of the parties to reach agreement in a timely manner," according to a statement from CyberSource.

Instead, Pay By Touch, a San Francisco company whose payment processing systems use fingerprints to authorize credit and debit transactions, bought CardSystems on Oct. 15. Terms of the deal weren't disclosed.

Pay By Touch CEO John Rogers says the company plans to add CardSystems to its existing merchant processing services business. Pay By Touch will also look to sell its products to CardSystems' customers.

The Pay By Touch deal bought CardSystems more time to get its house in order and convince customers to stay. For instance, Pay By Touch says Visa has extended its Oct. 31 exit date to Jan. 31 to allow the deal to close.

2005 Inductees

  • CARDSYSTEMS
    The company discovered in May
    that 40 million
    credit-card numbers it had been storing had been exposed to hackers during a security breach.

  • BANK OF AMERICA
    The bank disclosed in February that it lost backup tapes containing 1.2 million federal-employee records. In September, it had to inform users of prepaid Visa Buxx debit cards that sensitive information such as bank routing numbers, names and credit-card numbers may have been breached after the theft of a laptop in August.

  • CHOICEPOINT
    Company in November said that 162,000 Social Security numbers and credit histories were stolen by crooks posing as businessmen.

  • DSW SHOE WAREHOUSE
    The company reported in March that between mid-November 2004 and mid-February 2005, transaction data such as transaction amount and account numbers on 1.4 million credit-card accounts and 96,000 checks was stolen.

  • FEDERAL DEPOSIT INSURANCE CORP.
    The federal agency responsible for protecting bank accounts said in
    June that it informed 6,000 present and former employees
    that personal information such as Social Security numbers and dates of birth had been stolen in 2004.

  • LEXIS-NEXIS
    Company said in April that 59 intrusions resulted in a haul of 310,000 customer Social Security numbers, driver's license numbers and addresses.

  • POLO RALPH LAUREN
    The fashion icon stored transaction data in its point-of-sale systems and lost personal data such as credit-card numbers for 180,000 HSBC North America accounts. Customers got the news in April.

  • UPS
    "Brown" didn't do it for Citigroup in May, when the shipping company says it lost a box of backup tapes containing the credit records of 3.9 million Citigroup customers.

  • UNIVERSITY OF COLORADO
    The University of Colorado-Boulder admitted three foul-ups. On July 21, it reported that a health-center server with identifiers such as addresses and dates of birth for 42,000 students was compromised, along with the results of 2,000 laboratory tests. On Aug. 1, the school said servers with Social Security numbers, names and photographs of 36,000 students, staff, faculty and research associates were breached. And on Aug. 19, a registrar database containing "ancillary information" on
    49,000 students
    was compromised.

  • WACHOVIA
    A man in Edina, Minn., received the 1099 tax forms of 73 individuals who held escrow accounts at the bank.


    • <12
     
     
     
     
    Business Editor
    ldignan@ziffdavisenterprise.com
    Larry formerly served as the East Coast news editor and Finance Editor at CNET News.com. Prior to that, he was editor of Ziff Davis Inter@ctive Investor, which was, according to Barron's, a Top-10 financial site in the late 1990s. Larry has covered the technology and financial services industry since 1995, publishing articles in WallStreetWeek.com, Inter@ctive Week, The New York Times, and Financial Planning magazine. He's a graduate of the Columbia School of Journalism.
     
     
     
     
     



















     
     
     
     
     
     

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters