Please provide any and all information relatin to the data breach of
CardSystems Solutions: including what value they placed on the
breached data, what are they doing to prevent such a breach again, how
might Microsoft Software be blamed for the security breach at
CardSystems Solutions, what kind of virus-like computer script was it
that retrieved the proprietary information...?

---

Request for Question Clarification by pafalafa-ga on 17 Jul 2005 10:30 PDT

I've found a number of sources of information regarding theCardSystems
breach, including newspaper articles, government websites, and the
text of a class action lawsuit filed against CardSystems.

However, there is very little detailed financial or technical
information in these sources, and certainly nothing much that answers
the specific questions you asked about:

--the value placed on the data

--the role (if any) of Microsoft software

--details of how the system was broken into and the data retrieved.


In fact, the ony thing I could find some detail on are the steps taken
by CardSystems to prevent a future breach.  And even here, the details
are rather sketchy.


None of this is terribly unusual...companies are generally reluctant
to lay out the details of what failed in the past, or what new
protections are currently in place.

Given the sketchy sort of information out there, do you still a
researcher to post a summary of the available information as an answer
to your question?

Let me know what you think.


pafalafa-ga

---

Clarification of Question by kni800-ga on 25 Jul 2005 12:23 PDT

Do the articles you've found provide any new information on the
CardSystems Solutions breach than the article from AP, by Joe Bel
Bruno, titled "Security Breach Could Expose 40M to Fraud" If there is
new information as how the breach occurred, what was the data being
used for at CardSystems Solutions, the steps they are taking to
prevent future data breaches - otherwise I would like to revamp my
question because the info isn't anything new that I haven't already
found myself.

Such as: What is the historical and forecasted growth of Identity
Theft, and specifically data breaches in the US for the past 10 years;
and what ways do companies quantify (value) breached (stolen) data? In
addition to any information new info found regarding CardSystems.

Thanks.

---

Request for Question Clarification by pafalafa-ga on 29 Jul 2005 05:09 PDT

Some additional information on the CardSystems breach has been made
public as a result of the company's testimony before a Congressional
committee last week.  The most salient information seems to be:


--The company hired a forensic IT firm to investigate what went wrong

--Unauthorized acivity on their system began as early as April 2004

--In September, an unauthorized script was placed into their platform
via an internet access to the system from an interface used by
customers.

--The script was fairly sophisiticated and ran every four days.  It
caused records to be extracted, zipped into a file, and exported to an
FTP site.

--The script searched for records on individual cardholders, including
name, account number, expiration date, and CVV code

--On May 22,the script exported 263,000 records from CardSystems' system. 

--The records consisted of transactions that hadn't been completed.
CardSystems was storing the transactions for research purposes to
determine why they weren't completed.

--The data was stored in readable form, in violation of Visa and
MasterCard security requirements.

--The data didn't include cardholder Social Security numbers.

--The few hundred thousand stolen records put millions of cards at
risk -- a total of 22 million Visa cards and 13 million MasterCard
cards were put at risk by the security breach.


Is this sort of information useful?  Let me know.

paf

---

Clarification of Question by kni800-ga on 02 Aug 2005 17:00 PDT

Yes. This type of information is useful. Is there similar information
available of other breaches?

kni800-ga,


Thanks for getting back to me on this.  I've posted below the
information on CardSystems that has come to light since the initial
reports of the security breach.

In your comment, you asked about similar information on other
breaches, but as my research was focused on CardSystems, I did not
come across reports of other incidents.  May I suggest that you post a
follow-up question if you need information on other companies.

I trust the CardSystems' information fully answers your question.  But
if you find additional information is needed, just let me know by
posting a Request for Clarification, and I'm at your service.

Cheers,

pafalafa-ga


===============

The most detailed information on the Cardsystems breach and its
aftermath seems to be the presentation made by the Cardsystems CEO,
John Perry, before a Congressional committee investigating the breach.

Here is a link to an article on the testimony, along with some relevant excerpts:



===============
http://informationweek.com/story/showArticle.jhtml?articleID=166401530#_
InformationWeek 
July 22, 2005

Unauthorized Data Access At CardSystems Began In April 2004, Bank Says 

...Unauthorized activity at CardSystems Solutions Inc. that led to the
exposure of 40 million payment cards started as early as April 2004,
according to a security assessment performed by a bank

...CardSystems servers showed evidence of unauthorized activity as
early as April 2004.

...CardSystems was retaining transaction data in violation of Visa USA Inc. rules

...CardSystems was retaining transaction data in "unmasked" form,
allegedly for research purposes, in violation of Visa's rules.


...in September, an unauthorized party placed a script, or sequence of
instructions, on the CardSystems platform through an Internet-facing
application used by customers to access data.

...The script caused records to be extracted, zipped into a file, and
exported to an FTP site.

...a sophisticated script that targeted a particular file type and was
scheduled to run every four days

...The script searched for records on individual cardholders,
including name, account number, expiration date, and CVV code

...On May 22, the script succeeded in exporting 263,000 records from 

...The records consisted of transactions that hadn't been completed.

...CardSystems was storing the transactions for research purposes to
determine why they weren't completed

...The data didn't include cardholder Social Security numbers, and
thus couldn't be used for identity theft,

...It could, however, have been used to create counterfeit cards.

...A total of 22 million Visa cards and 13 million MasterCard cards
were put at risk by the security breach
===============



The full testimony can be found at the House Financial Services
Committee site and contains some interesting additional detail:



http://financialservices.house.gov/media/pdf/072105jmp.pdf

STATEMENT OF
JOHN M. PERRY
PRESIDENT AND CEO
CARDSYSTEMS SOLUTIONS, INC.

JULY 21, 2005

...The payment card system is designed so that processors like
CardSystems do not have access to complete information, such as social
security numbers, which could greatly facilitate identity theft.

...CardSystems identified a potential security incident on Sunday, May 22, 2005.

...we contacted the FBI on Monday, May 23

...On May 25, we notified our sponsor, Merrick Bank.

...CardSystems also has been helping to facilitate all government
inquiries, and will continue to do so. These inquiries include those
being conducted by the FBI, the FDIC, and the Attorneys General of
forty-six of the states, the District of Columbia and three U.S.
territories.

...Our cooperation with the FDIC includes assisting them in their
continuing on-site review at our facilities which began in the third
week of June.

...In order to gain access to the Visa and MasterCard networks,
processors are required to obtain sponsorship from a Visa or
MasterCard member bank. As I previously noted, CardSystems' sponsoring
bank is Merrick Bank of South Jordan, Utah. Merrick Bank is a member
of both Visa and MasterCard, and acts as a liaison between CardSystems
and the card associations.

...In late Fall 2003, CardSystems was audited and certified by a
qualified Visa CISP security assessor, Cable & Wireless. The Cable &
Wireless audit, which concluded that CardSystems was unequivocally in
compliance with Visa's CISP requirements, was reported to Visa in
December 2003. The 2003 CISP audit determined that there were no
deficiencies which were not covered by compensating controls. As a
result, Visa qualified CardSystems as security-compliant in June 2004.

...Visa and MasterCard required all entities handling payment card
data to comply with the PCI Standard by June 30, 2005. In light of
CardSystems' recent incident, Visa and MasterCard had agreed to extend
the time for CardSystems to conclude its PCI audit until August 31.
CardSystems expects to be fully certified as compliant with the PCI
Standard requirements at that time.

...Based on all of the forensic investigations conducted externally,
by independent scans and investigations and by the payment card
providers, we know of only one confirmed instance in which any data
was exported, and that is the May 22 incident that has brought us here
today.

...The offending script searched our computer servers for records with
track data (the data on a card's magnetic stripe, which is affixed to
cardbacks and contains identifying data). The most complete
information that could have been obtained for any one cardholder would
have been that person's name, account number, expiration date and CVV
code (contained in the magnetic stripe). Since this data does not
include the cardholder's social security number, we believe that there
is virtually no risk of identity theft resulting from this intrusion

...The data stored in the files that were confirmed to have been
exported by the script consisted of transactions which were not
completed for a variety of reasons.

...As we have repeatedly acknowledged, our error was that the data was
kept in readable form in violation of Visa and MasterCard security
standards. As of May 27, 2005, track data is no longer stored by
CardSystems.

...As the result of the extensive forensic analysis in which we have
participated, we know for certain that three files were wrongfully
removed from the CardSystems platform. Of these three files, one was
empty, one contained about 4,000 records, and the third contained
approximately 259,000 records. The total 263,000 records correspond to
239,000 discrete account numbers.

...CardSystems does not possess the data that would enable it to
notify cardholders who may have been impacted by this incident.
Instead, the card issuing banks, through their direct relationship
with cardholders, have the complete records that include the names and
addresses of cardholders.

...So far, out of all of the account numbers that may have been
affected, we have not been notified of any that have been used
fraudulently.

...CardSystems no longer stores track data, and all track data is now
otherwise masked or rendered unreadable.

...In conjunction with our efforts to achieve PCI security compliance
by August 31, we have selected AmbironTrustWave, a

...Qualified Data Security Company (QDSC), to perform our official PCI
Standard assessment.
===============



Despite Cardsystems' assurances of cooperation, the Attorneys General
are not all that pleased:


===============
http://www.allamericanpatriots.com/m-news+article+storyid-11892.html

States Await Details on CardSystems Security Breach
August 1, 2005

..."While we were encouraged by initial contacts by CardSystems that
the company would comply with our request, we are disappointed that we
have not received a formal response and documentation that we
requested by the July 25 deadline."


..."Thus far, the company has failed to provide a plan as to how it
intends to notify consumers and prevent a similar data leak in the
future. These failures are not acceptable. We are in contact with
other states to consider our next course of action.?
===============


Again, just let me know if there's anything else I can do for you on this.


paf



search strategy -- searched Google, Google News, and news databases
for recent stories on [ CardSystems ]