[ISN] Atlanta Company Settles Breach

InfoSec News isn at c4i.org
Fri Feb 24 01:51:46 EST 2006


Associated Press Writer

WASHINGTON (AP) -- A data breach that left some 40 million customer
accounts vulnerable to hackers will lead to tighter security measures
to protect millions of credit and debit card users, officials at the
Federal Trade Commission said Thursday.

CardSystems Solutions Inc. has settled charges that the company broke
the law by failing to ensure adequate safeguards for sensitive
customer information. The settlement calls for better safeguards to
protect consumer data.

The FTC could not seek civil penalties under the law it accused
CardSystems of violating.

Atlanta-based CardSystems processed credit card and other payments for
banks and merchants. Last summer, it was disclosed that tens of
millions of mostly MasterCard and Visa accounts were exposed to
possible fraud after a hacker broke into the company's computer

"CardSystems kept information it had no reason to keep and then stored
it in a way that put consumers' financial information at risk," said
FTC Chairman Deborah Platt Majoras.

The company stored information from the magnetic strip of credit and
debit cards -- account numbers, expiration dates, and security codes,
the agency said. The commission also said CardSystems did not have
sufficient passwords to keep a hacker from taking control of its
computer network.

The assets of CardSystems have since been bought by San
Francisco-based Pay By Touch. The settlement requires Pay By Touch to
implement a comprehensive security program and obtain independent
audits every other year for 20 years.

According to evidence gathered in a California case, the hacker was
able to grab enough account information to defraud at least 264,000
customers. Visa and MasterCard maintain that there is little financial
risk to vulnerable accountholders because of their "zero liability"  
policies that reverse all fraudulent charges.

The lawsuit sought an order requiring Visa and MasterCard to send
individual warnings to thousands of consumers whose personal
information was stolen in the breach. But the judge rejected the
request last fall, saying there was no immediate threat of irreparable
harm to consumers.

Copyright 2006 by The Associated Press. All Rights Reserved.

More information about the ISN mailing list