Thanks for getting back to me on this. I've posted below the
information on CardSystems that has come to light since the initial
reports of the security breach.
In your comment, you asked about similar information on other
breaches, but as my research was focused on CardSystems, I did not
come across reports of other incidents. May I suggest that you post a
follow-up question if you need information on other companies.
I trust the CardSystems' information fully answers your question. But
if you find additional information is needed, just let me know by
posting a Request for Clarification, and I'm at your service.
The most detailed information on the Cardsystems breach and its
aftermath seems to be the presentation made by the Cardsystems CEO,
John Perry, before a Congressional committee investigating the breach.
Here is a link to an article on the testimony, along with some relevant excerpts:
July 22, 2005
Unauthorized Data Access At CardSystems Began In April 2004, Bank Says
...Unauthorized activity at CardSystems Solutions Inc. that led to the
exposure of 40 million payment cards started as early as April 2004,
according to a security assessment performed by a bank
...CardSystems servers showed evidence of unauthorized activity as
early as April 2004.
...CardSystems was retaining transaction data in violation of Visa USA Inc. rules
...CardSystems was retaining transaction data in "unmasked" form,
allegedly for research purposes, in violation of Visa's rules.
...in September, an unauthorized party placed a script, or sequence of
instructions, on the CardSystems platform through an Internet-facing
application used by customers to access data.
...The script caused records to be extracted, zipped into a file, and
exported to an FTP site.
...a sophisticated script that targeted a particular file type and was
scheduled to run every four days
...The script searched for records on individual cardholders,
including name, account number, expiration date, and CVV code
...On May 22, the script succeeded in exporting 263,000 records from
...The records consisted of transactions that hadn't been completed.
...CardSystems was storing the transactions for research purposes to
determine why they weren't completed
...The data didn't include cardholder Social Security numbers, and
thus couldn't be used for identity theft,
...It could, however, have been used to create counterfeit cards.
...A total of 22 million Visa cards and 13 million MasterCard cards
were put at risk by the security breach
The full testimony can be found at the House Financial Services
Committee site and contains some interesting additional detail:
JOHN M. PERRY
PRESIDENT AND CEO
CARDSYSTEMS SOLUTIONS, INC.
JULY 21, 2005
...The payment card system is designed so that processors like
CardSystems do not have access to complete information, such as social
security numbers, which could greatly facilitate identity theft.
...CardSystems identified a potential security incident on Sunday, May 22, 2005.
...we contacted the FBI on Monday, May 23
...On May 25, we notified our sponsor, Merrick Bank.
...CardSystems also has been helping to facilitate all government
inquiries, and will continue to do so. These inquiries include those
being conducted by the FBI, the FDIC, and the Attorneys General of
forty-six of the states, the District of Columbia and three U.S.
...Our cooperation with the FDIC includes assisting them in their
continuing on-site review at our facilities which began in the third
week of June.
...In order to gain access to the Visa and MasterCard networks,
processors are required to obtain sponsorship from a Visa or
MasterCard member bank. As I previously noted, CardSystems' sponsoring
bank is Merrick Bank of South Jordan, Utah. Merrick Bank is a member
of both Visa and MasterCard, and acts as a liaison between CardSystems
and the card associations.
...In late Fall 2003, CardSystems was audited and certified by a
qualified Visa CISP security assessor, Cable & Wireless. The Cable &
Wireless audit, which concluded that CardSystems was unequivocally in
compliance with Visa's CISP requirements, was reported to Visa in
December 2003. The 2003 CISP audit determined that there were no
deficiencies which were not covered by compensating controls. As a
result, Visa qualified CardSystems as security-compliant in June 2004.
...Visa and MasterCard required all entities handling payment card
data to comply with the PCI Standard by June 30, 2005. In light of
CardSystems' recent incident, Visa and MasterCard had agreed to extend
the time for CardSystems to conclude its PCI audit until August 31.
CardSystems expects to be fully certified as compliant with the PCI
Standard requirements at that time.
...Based on all of the forensic investigations conducted externally,
by independent scans and investigations and by the payment card
providers, we know of only one confirmed instance in which any data
was exported, and that is the May 22 incident that has brought us here
...The offending script searched our computer servers for records with
track data (the data on a card's magnetic stripe, which is affixed to
cardbacks and contains identifying data). The most complete
information that could have been obtained for any one cardholder would
have been that person's name, account number, expiration date and CVV
code (contained in the magnetic stripe). Since this data does not
include the cardholder's social security number, we believe that there
is virtually no risk of identity theft resulting from this intrusion
...The data stored in the files that were confirmed to have been
exported by the script consisted of transactions which were not
completed for a variety of reasons.
...As we have repeatedly acknowledged, our error was that the data was
kept in readable form in violation of Visa and MasterCard security
standards. As of May 27, 2005, track data is no longer stored by
...As the result of the extensive forensic analysis in which we have
participated, we know for certain that three files were wrongfully
removed from the CardSystems platform. Of these three files, one was
empty, one contained about 4,000 records, and the third contained
approximately 259,000 records. The total 263,000 records correspond to
239,000 discrete account numbers.
...CardSystems does not possess the data that would enable it to
notify cardholders who may have been impacted by this incident.
Instead, the card issuing banks, through their direct relationship
with cardholders, have the complete records that include the names and
addresses of cardholders.
...So far, out of all of the account numbers that may have been
affected, we have not been notified of any that have been used
...CardSystems no longer stores track data, and all track data is now
otherwise masked or rendered unreadable.
...In conjunction with our efforts to achieve PCI security compliance
by August 31, we have selected AmbironTrustWave, a
...Qualified Data Security Company (QDSC), to perform our official PCI
Despite Cardsystems' assurances of cooperation, the Attorneys General
are not all that pleased:
States Await Details on CardSystems Security Breach
August 1, 2005
..."While we were encouraged by initial contacts by CardSystems that
the company would comply with our request, we are disappointed that we
have not received a formal response and documentation that we
requested by the July 25 deadline."
..."Thus far, the company has failed to provide a plan as to how it
intends to notify consumers and prevent a similar data leak in the
future. These failures are not acceptable. We are in contact with
other states to consider our next course of action.?
Again, just let me know if there's anything else I can do for you on this.
search strategy -- searched Google, Google News, and news databases
for recent stories on [ CardSystems ]