Charge Anywhere reports data breach

Another data breach affecting shoppers' payment cards has been detected, but this time it's not a retailer but mobile payment platform Charge Anywhere.

Charge Anywhere said in a statement it has "uncovered a sophisticated attack against its network. The attack has been completely shut down and fully investigated."

After receiving notice of fraudulent charges made to cards that had been legitimately used at specific merchants, the company discovered malware previously undetected by anti-virus software. The malware has been removed and an investigation and network enhancements are underway.

As in the Target data breach, the culprit appears to be an unauthorized third party who gained access to the network and installed malware that was then used to capture segments of outbound network traffic. Much of that outbound traffic was encrypted, but the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately gain access to plain-text payment card transaction authorization requests.

"While we discovered the malware on September 22, 2014, it required extensive forensic investigative efforts to de-code it and determine its capabilities," according to a company statement. "During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified. Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009."    

Charge Anywhere contends that no merchant systems, ISO, processor or service providers were affected, that the malware has been eliminated and merchant transactions will be routed as usual and payment gateway services will be provided.

The company has provided a searchable list of potentially affected merchants.

For more:
-See this Charge Anywhere statement
-Search this database for affected merchants

Related stories:
Sony computers hacked in possible blackmail
Backoff malware widespread, PCI Council issues call to action
How to prevent Target-like data breaches
Shoppers stop buying online after breaches
Target and PF Chang's breaches 'the tip of the iceberg'