Retailers trying to protect their payment-card information from thieves have something new to worry about. An unnamed U.S. card processor was attacked in February as part of a $40 million cyberheist, and thieves got essentially unlimited access to the processor's systems. That means no matter how secure retailers kept their systems, if this was their processor, their card data was compromised.
Worse still, federal prosecutors know who the processor in question is, but haven't released that information—so retailers that use the processor have no way of knowing they have a breach in their payments processing chain.
Whether merchant card data was actually stolen from that processor is unknown. According to an indictment unsealed on Thursday (May 9), thieves used their access to raise the withdrawal limits on 12 MasterCard prepaid debit-card account numbers issued by a bank in Oman. As a result, gangs in 24 countries were able to use ATM machines to loot the accounts of roughly $40 million during a 10-hour period on Feb. 19 and 20. (The indictment was against eight New York residents who were part of a gang that helped cash out the card numbers.)
That's one very big cyberheist, and it appears to have had a very specific target: Oman's Bank of Muscat. But exactly the same breach techniques could be used to collect a huge number of card numbers from merchant transactions. Once a thief gets that deep into a card processor's systems, there's very little the thief can't grab.
If it sounds like this is good news for retailers (At last! They've stopped breaching us!), think again. Retailers are still the only face that a customer sees. If he uses his card at Macy's or Walmart and then he's notified that thieves have made fraudulent use of his card, he'll draw the obvious conclusion: It's Macy's or Walmart's fault. No matter who in the processing chain gets hit financially, it's the retailer who will take it in the reputation.
And while it's good that retailers wouldn't get hit with stiff PCI penalties for a security breach in a case like this, many retailers would want to change processors in the wake of a breach like this. In this case they can't—at least not until MasterCard announces which processor it's fining for a $40 million breach.
- See this Reuters story
C-Store Chain Mapco Express Hit With Remote Access Breach
Teavana Data Breach Fuels Gift Card Buys At Target
Data Breach At Gunpoint: Kmart Armed Robber Walks Away With Sensitive Pharmacy Records