Sign in / up

back to article Fraud linked to US payment processor breach

US credit unions are reporting a security breach affecting credit and debit card numbers involving a payment processor firm. Neither the name of the company at the centre of the snafu nor how many records might be involved has been disclosed. Official word of the breach came when the Community Bankers Association reported that …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Anonymous Coward
    Unhappy

    Add one more Credit Union

    Pentagon Federal Credit Union was also hit.

    0 0
  2. Roger Heathcote
    Go

    I love how they...

    ...they always state with great certainty what was and what wasn't disclosed in the breach. How the hell do they know? Their servers have been pwned for god knows how long, have they been running a packet capture on their whole network's TCP/IP traffic that entire time?

    If not then how might they explain these precise facts and figures?...

    A) Err, we just made them up out of thin air

    B) We paid v.expensive security consultants to look clever and then guess at them for us

    C) We're just reporting attacks since we started looking, there may well be a boatload more

    D) We had no idea it was even happening til the CIA called us an an explained on of their agents had been sold X number of our customer records

    E) We had noticed but we're going to sweep it under the carpet, until the CIA turned up and ruined our plans...

    0 0
  3. James Woods

    another perfect example

    When these larger corporations do stuff like this everyone suffers. Wheres your PCI compliance, how'd that work out for you. Everytime these corporate fools screw up small business suffers and will continue to suffer. Everyone up to Visa should be sued when this stuff happens, theres absolutely no cause for it in 2009.

    0 0
  4. Anonymous Coward
    Anonymous Coward

    Surely...

    ...all the data is encrypted. On the disc, in the database, over the wire. Only on the screen (or at the printer, i.e. point of consumption) does it need to be decrypted.

    Given that must be the case, as they are so hot on security, what does it matte - all the data is encrypted and thus worthless.

    Unless of course it's not encrypted.....

    0 0
  5. Anonymous Coward
    Anonymous Coward

    well, you'd think but

    There is a problem with the PCI requirements.

    Yes, the data must be encrypted in transit,

    Yes it must be encrypted when stored

    But, these two points are in two different sections of the standard and so are often applied in two ways

    for example if you use HTTPS to encrypt the data in transit and hard drive encryption to encrypt the data while it is stored; you’re fully PCI compliant, but all of that is not worth a damn if your server is owned.

    0 0
  6. smode

    read this

    you should also read voltage's luther martin's blog post on this - http://superconductor.voltage.com/2009/02/another-big-data-breach.html

    0 0
This topic is closed for new posts.

Other stories you might like