CardSystems Data breach case
The most famous data breach is probably the TJX case with over 45million credit cards compromised. However in 2005, two years earlier, the CardSystems case resulted in increased attention to the issue of data breach. It was also the first high-profile case where the card issuers resorted to their final recourse against a company in a data theft case.
Lens Image from: freeclipartnow.com
Lens Image from: freeclipartnow.com
Contents
- The background to the case
- The Card Systems Case
- How it was done - a SQL injection attack
- The question of Compliancy
- Withdrawal of Services
- The sale of CardSystems
- Far reaching effects
- A timeline in Articles
- Blogs and Comments on the case
- The PCI DSS Official Site
- PCI DSS resources and Books
- More about the Data Security Standard
- Protecting your information
- The TJX Security Breach case
- Leave your comments
- About the lensmaster
The background to the case
Card Systems and PCI DSS
CardSystems was a third-party Payment processor. This means that they gathered transactions from thousands of small and medium businesses and processed them as batches for card providers such as Visa and Mastercard.
The case covers how one of the larger processing houses found itself vulnerable to a comparatively simple hack, and as a result nearly ceased to trade and was eventually bought out. This was also the first major case in which the card processors (e.g. Visa and Amex) used their final recourse against a merchant and withdrew CardSystems' right to process credit card data.
More from Wikipedia
CardSystems Solutions is a credit card processing company. In June 2005, the fact that 40 million credit cards had been stolen from CardSystems was discovered. This led to the discoveries that CardSystems had been keeping data in unencrypted form that it was contractually obligated to delete, and that its own network was vulnerable to infiltration by hackers. Visa and American Express subsequently dropped it as a credit card processing company. CardSystems was acquired by Pay By Touch. The buyout was completed on December 9, 2005.
At the time it was the largest computer hack in history.[http://www.computerworld.com/s/article/9014782/TJX_data_breach_At_45.6M_card_numbers_it_s_the_biggest_ever TJX data breach: At 45.6M card numbers, it's the biggest ever - Computerworld - March 29, 2007] The hack would be surpassed by the Albert Gonzalez hacks in 2007 of TJX Companies in which 45.6 million cards were hacked and Heartland Payment Systems in which 130 million cards were hacked.
The Card Systems Case
A high profile target
CardSystems, as a credit card processor and aggregator who processed cards for most of the major processors, was a high profile target for this sort of fraud.
As a result, they were told they had to comply with data security standards. CardSystems contacted an auditor and in June 2004 they were certified as compliant. Relevant to the case, this standard certified that they were following a high standard of security and data was encrypted.(wired.com)
On June 17th 2005 Mastercard disclosed that there had been a major data breach at CardSystems (Securityfocus). The issue of who discovered the fraud has been debated. CardSystems claimed they discovered it, while Mastercard stated that they tracked it back externally (CNN).
The result was the same. 40 Million credit cards had been compromised.
As a result, they were told they had to comply with data security standards. CardSystems contacted an auditor and in June 2004 they were certified as compliant. Relevant to the case, this standard certified that they were following a high standard of security and data was encrypted.(wired.com)
On June 17th 2005 Mastercard disclosed that there had been a major data breach at CardSystems (Securityfocus). The issue of who discovered the fraud has been debated. CardSystems claimed they discovered it, while Mastercard stated that they tracked it back externally (CNN).
The result was the same. 40 Million credit cards had been compromised.
How it was done - a SQL injection attack
The Card Systems data breach
As with an increasing number of cases, the CardSystems case appears to have been an external fraud with no inside help.
Internet news quotes a statement covering the hack, but more information is available from Xiom and The FTC Complaint. Here is a summary:
It appears that a hacker or hackers gained access to the system through a web application which customers used to access their own data. They used a SQL injection attack, where a small snippet of code is inserted onto the database through the front end (browser page). Once inserted onto the server the code ran every four days. It gathered credit card data from the database, put it in a file (zipped to reduce size) and sent it to the hackers via FTP.
Three such files were downloaded, with over 200,000 credit card details in them.
Internet news quotes a statement covering the hack, but more information is available from Xiom and The FTC Complaint. Here is a summary:
It appears that a hacker or hackers gained access to the system through a web application which customers used to access their own data. They used a SQL injection attack, where a small snippet of code is inserted onto the database through the front end (browser page). Once inserted onto the server the code ran every four days. It gathered credit card data from the database, put it in a file (zipped to reduce size) and sent it to the hackers via FTP.
Three such files were downloaded, with over 200,000 credit card details in them.
The question of Compliancy
Was CardSystems PCI DSS compliant?
This caused an uproar.
SQL injections can be as simple as copying and pasting code into a box on a form on a webpage. They are stopped comparatively easily by properly designed applications, a web firewall, or many other ways. These safeguards are required by the standard CardSystems was allegedly in compliance with. The fact an injection attack got through raised questions over their firewall.
Further, CardSystems had been storing the data for research in an unencrypted format. All credit card data must be encrypted by the standards requirements, and destroyed once it is no longer needed for the transaction.
The investigation found that CardSystems did not appear to be compliant with the standard.
SQL injections can be as simple as copying and pasting code into a box on a form on a webpage. They are stopped comparatively easily by properly designed applications, a web firewall, or many other ways. These safeguards are required by the standard CardSystems was allegedly in compliance with. The fact an injection attack got through raised questions over their firewall.
Further, CardSystems had been storing the data for research in an unencrypted format. All credit card data must be encrypted by the standards requirements, and destroyed once it is no longer needed for the transaction.
The investigation found that CardSystems did not appear to be compliant with the standard.
Withdrawal of Services
Visa and Amex close the doors
On the 19th July 2005 Visa, unhappy with the corrections CardSystems had made following the breach, announced that it was withdrawing the right for CardSystems to process payments on its behalf. It gave the banks that had used them until October to find another payment processor.
This was the final recourse of any of the card providers, and using it caused a stir. CardSystems stated that they hoped Visa would reconsider, only for Amex to follow Visa's lead a few days later. (Opinion piece)
With the loss of two of the major providers and the banks that took those cards taking business elsewhere, CardSystems' future was in doubt.
This was the final recourse of any of the card providers, and using it caused a stir. CardSystems stated that they hoped Visa would reconsider, only for Amex to follow Visa's lead a few days later. (Opinion piece)
With the loss of two of the major providers and the banks that took those cards taking business elsewhere, CardSystems' future was in doubt.
The sale of CardSystems
After the withdrawal
With Visa and Amex both pulled out, Card Systems could not be saved as a going concern. Mastercard had given them until August 31st to reach PCI DSS compliance, with the unspoken threat of fines, or following suit with Visa and Amex.
The new security head, Joe Christensen, had to try to make CardSystems PCI compliant to make the company viable for sale. With an extensive client list, it would be a good takeover target, as long as they could ensure it really was compliant. (searchsecurity)
The deadlines were extended twice for compliancy - first to 31st October, then 31st January. With increased sceruity and staff training, CardSystems became an attractive prospect to buy, and eventually the company was acquired by Pay-by-touch in 2005.
The new security head, Joe Christensen, had to try to make CardSystems PCI compliant to make the company viable for sale. With an extensive client list, it would be a good takeover target, as long as they could ensure it really was compliant. (searchsecurity)
The deadlines were extended twice for compliancy - first to 31st October, then 31st January. With increased sceruity and staff training, CardSystems became an attractive prospect to buy, and eventually the company was acquired by Pay-by-touch in 2005.
Managing Catastrophic Loss of Sensitive Data: A Guide for IT and Security Professionals
Avg. Customer Rating: 
Amazon Price: $59.95 (as of 12/15/2009) 
Used Price: $42.02
Far reaching effects
Ongoing issues
The case opened up a can of worms, and the legal effects are still ongoing.
The question of liability was tricky. Because of a law change, card-owners have to be notified if their card is stolen. This raised the hotly debated and ongoing question of who notifies them and who is liable for the cost.
CardSystems and its purchaser face independant security audits every other year for the next twenty years.
Four years later, in May 2009, the case made the news again. One of the banks affected began a lawsuit against Savvis, the auditors who stated that CardSystems was compliant. They estimate the case cost them nearly £16M.
The question of liability was tricky. Because of a law change, card-owners have to be notified if their card is stolen. This raised the hotly debated and ongoing question of who notifies them and who is liable for the cost.
CardSystems and its purchaser face independant security audits every other year for the next twenty years.
Four years later, in May 2009, the case made the news again. One of the banks affected began a lawsuit against Savvis, the auditors who stated that CardSystems was compliant. They estimate the case cost them nearly £16M.
A timeline in Articles
The Card Systems case as it progresses
If you would like to know more about the case, as well as the articles I have linked to throughout, here are a few others used for background detail.
Please note the last article deals with the Savvis Lawsuit, where one of the banks is now suing CardSystems auditor.
Please note the last article deals with the Savvis Lawsuit, where one of the banks is now suing CardSystems auditor.
- CardSystems' Data Left Unsecured (June 2005, Wired.com)
- Visa says a company that experienced the largest credit-card security breach ever disclosed did not meet basic security standards, even though it was certified secure by Visa. By Kim Zetter.
- MasterCard fingers partner in 40m card security breach %u2022 The Register (18th June 2005)
- MasterCard fingers partner in 40m card security breach
- Unauthorised research opened door to MasterCard breach %u2022 The Register (21st June 2005)
- Data was held for "research" purposes
- Visa cuts CardSystems over security breach %u2022 The Register (19th July 2005)
- Visa cuts CardSystems over security breach
- The CardSystems blame game (Security Focus - August 2005)
- Hiring a security auditor in light of the CardSystems breach reveals quite a bit about the legal side of security consultants.
- CardSystems Sells Out After Massive Data Breach (Consumer Affairs - 19th October 2005)
- CardSystems Sells Out After Massive Data Breach
- CardSystems Settles Data Breach Charges - InternetNews.com (24th February 2006)
- Credit card processor agrees to tighten security practices and accepts third-party audits.
- Finextra: Savvis faces bank lawsuit over CardSystems data breach (Finextra - 26th May 2009)
- Savvis faces bank lawsuit over CardSystems data breach - news story in full from Finextra
Blogs and Comments on the case
The latest news and developments
The case had long term effects on ecommerce, includng the developing PCI Data Security Standard. Of more concern, the recent lawsuit against the auditor suggests that the question of where liability lies when a PCI compliant company has a break-in may not be clear cut.
- 15 Of The Most Outrageous Data Loss Incidents Of All Time
- Laptop theft is actually a problem in most organizations that deal with sensitive data, but there's sensitive data and then there's SENSITIVE data, and the people at Los Alamos nuclear weapons facility are certainly dealing with the latter. Unfortunately they don't seem to be taking ... Visa told Wired magazine that CardSystems received a security certification in 2004, but post incident records indicated the network was no longer secure at the time of the data breach. ...
- 40 Million Credit Card Numbers Stolen - Failure To Encrypt
- CardSystems Solutions moronic security efforts have resulted inthe potential theft of information for million credit cards.Hackers were able to install a rogue program, probably a Trojan,in the CardSystems security network. ...
- savvis faces bank lawsuit over cardsystems data breach
- merrick bank has launched a multi-million dollar lawsuit against savvis, accusing the vendor of erroneously telling it that cardsystems solutions complied with visa and mastercard security regulations less than a year before the payment ...
- MasterCard warns of massive credit-card breach
- Data thieves breached the systems of Atlanta, Georgia-based CardSystems Solutions, stealing data on as many as 40 million accounts affecting various credit-card brands, MasterCard says. ... Visa did not immediately comment on the theft, but was preparing a statement. The U.S. Secret Service is not investigating the breach, a spokesperson said. The FBI could not immediately be reached for comment. The breach is the latest incident to put consumer financial data at risk. ...
The PCI DSS Official Site
PCI DSS resources and Books
Achieveing the security standard
The Payment Card Industry Data Security Standard is designed to prevent events such as the CardSystems case from occurring again. If you are a company which accepts or processes cedit cards, it is something you need to look into.
If you are investigating PCI DSS Compliance for your company, here are the latest books from Amazon. These might help you gain an overview of the standard.
If you are investigating PCI DSS Compliance for your company, here are the latest books from Amazon. These might help you gain an overview of the standard.
PCI DSS A practical guide to implementation (2nd edition)
Avg. Customer Rating: 
Amazon Price: $62.95 (as of 12/15/2009)
Used Price: $94.99
PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance
Avg. Customer Rating: 
Amazon Price: $53.95 (as of 12/15/2009)
Used Price: $45.94
Payment Card Industry Data Security Standard Handbook
Avg. Customer Rating:
Amazon Price: $52.00 (as of 12/15/2009)
Used Price: $36.50
More about the Data Security Standard
A lens on the standard
The PCI DSS (Payment Card Industry Data Security Standard) is too long to go into here, but has its own introductory lens.-
PCI DSS - The Payment Card Industry Data Security Standard
-
The Payment Card Industry Data Security Standard is about ensuring the safety and security of credit card data. It shot into the public eye after the TJX case, where TKMaxx was fined for being non-compliant after 45 million credit card details were s...
Protecting your information
What you can do as an individual
While cases like CardSystems may make it seem as though there is little you can do to protect your data, this is not true. Identity theft can happen as simply as someone going through your rubbish for old bank statements.
To protect yourself, here are some books that can help:
To protect yourself, here are some books that can help:
Suze Orman's Identity Theft Kit
Avg. Customer Rating:
Amazon Price: (as of 12/15/2009)
Used Price: $3.41
The Wall Street Journal. Complete Identity Theft Guidebook: How to Protect Yourself from the Most Pervasive Crime in America (Wall Street Journal Identity Theft Guidebook: How to Protect)
Avg. Customer Rating:
Amazon Price: $10.88 (as of 12/15/2009)
Used Price: $1.37
The TJX Security Breach case
An overview of the famous case
In 2007 TJX disclosed a security breach that resulted in over 45 million credit cards (along with drivers' licences and personal details) being compromised. This proved to be part of a sophisticated organised crime operation, but the methods used were very very simple.-
TJX Data loss and security breach case
-
TJX, the owners of TKMaxx were the targets of one of the largest data theft cases so far. The consequences are still ongoing, but over 45 million credit cards were affected and customer identity data such as driving licences was also stolen. This is...
Leave your comments
Have your say
The Card Systems case was overshadowed by the TJX case, and now the revelations about Heartland and RBS. Are there any comments about the case, questions that the lens raises, or anything you think I've missed? Let me know here.
submit
About the lensmaster
Tirial&Error Lensography
Lensmaster tirial has been a member since August 11 2008, has rated 195 lenses, favorited 7, and has created 239 lenses from scratch. This member's top-ranked page is "Dragon Cave - the online hatching game". See all my lenses
My Bio
Aviation, IT, History, Gaming, I'm interested in just about anything! I made the Squidoo Top 100 Club in June 2009.
For a full list of my lenses, see my Lensography. 
Check out these great lenses...
-
- The Jervis Bay and convoy HX84
HX84 was a British navy convoy in the second world war. Attacked by the German battleship Admiral Sheer, the convoy's sole armed escort, the converted liner Jervis Bay, moved into the path of the battleship to buy time for the convoy to escape.... view lens -
- Brunel's Great Western Railway
Designed by Isambard Kingdom Brunel, the Great Western Railway was designed to be one of the fastest of its time. The railway was built on a wide gauge of 7 feet known as "broad gauge", designed to increase speed and passenger comfort, and it was jo... view lens -
- Longitude - John Harrison's chronometers
Longitude is a measure of position vital for navigation. In the eighteenth century there was no way to measure it and ships were being lost at sea. Parliament passed an Act setting a prize for anyone who could solve the problem. The problem was solv... view lens -
- HMS Glowworm - Lieutenant Roope's Victoria Cross
HMS Glowworm was British Destroyer H-92. On patrol in 1940 she encountered the German invasion force heading for Norway and, with her radio shot out and unable to run, she fought. Commanded by Lieutenant Roope, she is chiefly famous for her battle a... view lens -
- Madeira - a fortified wine
Madeira is a fortified wine named after the Portugese Island where it is made. It has a unique production process which involves heating the wine to give it a distinct flavour. Less well known than Port or Sherry, the other fortified wines, madeira... view lens
by tirial
Aviation, IT, History, Gaming, I'm interested in just about anything! I made the Squidoo Top 100 Club in June 2009.
For a full list of my lenses, see... (more)
For a full list of my lenses, see... (more)
Explore related pages
Identity Theft Victim - 4 Things to Do Right Now!- Please rate this lens if you found it useful. Thank-you! NOTE: Just recent...
TJX Data loss and security breach case- TJX, the owners of TKMaxx were the targets of one of the largest data theft case...
Identity Theft and Fraud Protection LifeLock CEO Todd Davis- LifeLock is the leading player in the rapidly growing field of Identity Theft Pr...
How to find the best credit card for you!- Credit card companies are constantly bombarding you with their offers and you ar...
Cashback and Reward Credit Card Offers- Using cashback credit cards is a great way to make some extra cash. By paying fo...
Why Full Disk Encryption is a Must for Laptops- Pfizer, the largest biomedical and pharmaceutical company in the world, reported...
