RBS WorldPay intrusion affects 1.5 million
Technorati Tag: Security Breach
Date Reported:
12/23/08
Organization:
The Royal Bank of Scotland Group
Contractor/Consultant/Branch:
Citizens Financial Group Inc.
RBS WorldPay, Inc.*
*RBS WorldPay is a leading single-source provider of electronic payment processing services including debit, electronic benefits transfer (EBT), checks, gift cards, e-commerce, customer loyalty cards, fleet cards, prepaid cards, credit cards and ATM processing and cash management services. The U.S. payment processing division of The Royal Bank of Scotland Group plc, RBS WorldPay, based in Atlanta, is a non-bank subsidiary of Citizens Financial Group, Inc. For more information, please visit www.rbsworldpay.us.
Location:
Atlanta, Georgia
Victims:
"pre-paid cardholders and other individuals"
Number Affected:
"up to 1.5 million"
Types of Data:
"Information such as name, address, telephone number, Social Security number, card account number, PIN, and financial account information"
Breach Description:
"The Atlanta-based payment-processing arm of The Royal Bank of Scotland Group said Tuesday its computer system was penetrated last month and the personal information of up to 1.5 million people might have been compromised."
Reference URL:
RBS WorldPay Press Release (.pdf)
RBS WorldPay Notification Letter (.pdf)
RBS WorldPay Information Site
Atlanta Business Chronicle
The Register
Report Credit:
RBS WorldPay
Response:
From the online sources cited above:
ATLANTA, Ga. – December 23, 2008 – RBS WorldPay (formerly RBS Lynk), the U.S. payment processing arm of The Royal Bank of Scotland Group, today announced that its computer system had been improperly accessed by an unauthorized party.
[Evan] It is not clear (publicly) how the RBS WorldPay "computer system" was compromised. We do know from past experience that central banking systems are typically mainframes and are very well protected. It is no trivial task to access these systems from outside of the bank (or financial institution).
RBS WorldPay has urgently taken a number of important steps to mitigate risk in response to this situation.
The issue, which affected pre-paid cardholders and other individuals, was identified on November 10 and law enforcement agencies and federal regulators were notified by RBS WorldPay shortly thereafter.
RBS WorldPay’s internal security professionals and outside experts are working with federal and state law enforcement authorities in an investigation of this event.
[Evan] It would be cool to be part of this investigation. Forensics is a fun (but tedious) side of information security.
The affected pre-paid cards include payroll cards and open-loop gift cards.
[Evan] Ugh! This type of event at this time of year has an added affect of disrupting some people's Christmas gift giving.
Personal information associated with certain payroll cards may have been improperly accessed.
PINs for all PIN-enabled cards have been or are being reset.
Affected individuals are being notified and information has been posted on the RBS WorldPay Web site, www.rbsworldpay.us.
The fraud that has been identified to-date is associated with RBS WorldPay’s computer system supporting its U.S. pre-paid and open-loop gift card issuing business.
Actual fraud has been committed on approximately 100 cards.
[Evan] Confirmed fraud related to this intrusion.
Cardholders will not be responsible for unauthorized activity associated with this event.
Certain personal information of approximately 1.5 million cardholders and other individuals may have been affected and, of this group, Social Security numbers of 1.1 million people may have been accessed.
[Evan] A gold mine.
RBS WorldPay is offering impacted individuals whose Social Security numbers may have been affected a complimentary one-year membership in a national subscription credit monitoring service that provides access to individuals’ consumer credit reports and daily monitoring of their credit files from all three national consumer reporting agencies.
Gift cards that have already been purchased retain their value and can be used wherever they are accepted by merchants.
Those gift cards that had not been purchased have been deactivated and are being removed for destruction from stores as an additional precaution.
Ben Barone, president and CEO of RBS WorldPay, said, “Privacy is important to RBS WorldPay and we regret any inconvenience this may cause affected individuals. We have taken important, immediate steps to mitigate risk and none of the affected cardholders will be responsible for unauthorized activity on their account resulting from
this situation. We are working closely with leading computer security firms to further safeguard our system, and with law enforcement agencies, which we hope will result in the criminals being brought to justice.”
[Evan] Not the type of news that Mr. Barone would like his name affiliated with, but I admire corporate leaders who address information security matters personally. Corporate leaders are ultimately responsible for the protection an organization's assets, of which information makes up a significant portion (80+% by some estimates).
Cardholders who suspect fraudulent activity as a result of this situation can call the phone number located on the back of their card to make a claim.
RBS WorldPay has developed detailed information about this situation. This
information is available on the RBS WorldPay Web site at www.rbsworldpay.us, including details about steps individuals can take to protect themselves.
Details of the attack itself, much less who might have pulled it off, remain sketchy. RBS WorldPay has pledged to improve its security defences to prevent similar attacks in future.
[Evan] Sheesh, I would love to know how this attack was carried out.
Commentary:
This is a huge breach and obviously has significant costs associated with it.
I look forward to additional details as they emerge. Single and non-card payment processors beware.
Past Breaches:
The Royal Bank of Scotland:
August, 2008 - Financial information belonging to millions sold on eBay
Date Reported:12/23/08
Organization:
The Royal Bank of Scotland Group
Contractor/Consultant/Branch:
Citizens Financial Group Inc.
RBS WorldPay, Inc.*
*RBS WorldPay is a leading single-source provider of electronic payment processing services including debit, electronic benefits transfer (EBT), checks, gift cards, e-commerce, customer loyalty cards, fleet cards, prepaid cards, credit cards and ATM processing and cash management services. The U.S. payment processing division of The Royal Bank of Scotland Group plc, RBS WorldPay, based in Atlanta, is a non-bank subsidiary of Citizens Financial Group, Inc. For more information, please visit www.rbsworldpay.us.
Location:
Atlanta, Georgia
Victims:
"pre-paid cardholders and other individuals"
Number Affected:
"up to 1.5 million"
Types of Data:
"Information such as name, address, telephone number, Social Security number, card account number, PIN, and financial account information"
Breach Description:
"The Atlanta-based payment-processing arm of The Royal Bank of Scotland Group said Tuesday its computer system was penetrated last month and the personal information of up to 1.5 million people might have been compromised."
Reference URL:
RBS WorldPay Press Release (.pdf)
RBS WorldPay Notification Letter (.pdf)
RBS WorldPay Information Site
Atlanta Business Chronicle
The Register
Report Credit:
RBS WorldPay
Response:
From the online sources cited above:
ATLANTA, Ga. – December 23, 2008 – RBS WorldPay (formerly RBS Lynk), the U.S. payment processing arm of The Royal Bank of Scotland Group, today announced that its computer system had been improperly accessed by an unauthorized party.
[Evan] It is not clear (publicly) how the RBS WorldPay "computer system" was compromised. We do know from past experience that central banking systems are typically mainframes and are very well protected. It is no trivial task to access these systems from outside of the bank (or financial institution).
RBS WorldPay has urgently taken a number of important steps to mitigate risk in response to this situation.
The issue, which affected pre-paid cardholders and other individuals, was identified on November 10 and law enforcement agencies and federal regulators were notified by RBS WorldPay shortly thereafter.
RBS WorldPay’s internal security professionals and outside experts are working with federal and state law enforcement authorities in an investigation of this event.
[Evan] It would be cool to be part of this investigation. Forensics is a fun (but tedious) side of information security.
The affected pre-paid cards include payroll cards and open-loop gift cards.
[Evan] Ugh! This type of event at this time of year has an added affect of disrupting some people's Christmas gift giving.
Personal information associated with certain payroll cards may have been improperly accessed.
PINs for all PIN-enabled cards have been or are being reset.
Affected individuals are being notified and information has been posted on the RBS WorldPay Web site, www.rbsworldpay.us.
The fraud that has been identified to-date is associated with RBS WorldPay’s computer system supporting its U.S. pre-paid and open-loop gift card issuing business.
Actual fraud has been committed on approximately 100 cards.
[Evan] Confirmed fraud related to this intrusion.
Cardholders will not be responsible for unauthorized activity associated with this event.
Certain personal information of approximately 1.5 million cardholders and other individuals may have been affected and, of this group, Social Security numbers of 1.1 million people may have been accessed.
[Evan] A gold mine.
RBS WorldPay is offering impacted individuals whose Social Security numbers may have been affected a complimentary one-year membership in a national subscription credit monitoring service that provides access to individuals’ consumer credit reports and daily monitoring of their credit files from all three national consumer reporting agencies.
Gift cards that have already been purchased retain their value and can be used wherever they are accepted by merchants.
Those gift cards that had not been purchased have been deactivated and are being removed for destruction from stores as an additional precaution.
Ben Barone, president and CEO of RBS WorldPay, said, “Privacy is important to RBS WorldPay and we regret any inconvenience this may cause affected individuals. We have taken important, immediate steps to mitigate risk and none of the affected cardholders will be responsible for unauthorized activity on their account resulting from
this situation. We are working closely with leading computer security firms to further safeguard our system, and with law enforcement agencies, which we hope will result in the criminals being brought to justice.”
[Evan] Not the type of news that Mr. Barone would like his name affiliated with, but I admire corporate leaders who address information security matters personally. Corporate leaders are ultimately responsible for the protection an organization's assets, of which information makes up a significant portion (80+% by some estimates).
Cardholders who suspect fraudulent activity as a result of this situation can call the phone number located on the back of their card to make a claim.
RBS WorldPay has developed detailed information about this situation. This
information is available on the RBS WorldPay Web site at www.rbsworldpay.us, including details about steps individuals can take to protect themselves.
Details of the attack itself, much less who might have pulled it off, remain sketchy. RBS WorldPay has pledged to improve its security defences to prevent similar attacks in future.
[Evan] Sheesh, I would love to know how this attack was carried out.
Commentary:
This is a huge breach and obviously has significant costs associated with it.
I look forward to additional details as they emerge. Single and non-card payment processors beware.
Past Breaches:
The Royal Bank of Scotland:
August, 2008 - Financial information belonging to millions sold on eBay
Posted by Evan Francen at 12/29/2008 1:27 PM 
Categories: Intrusion, RBS WorldPay, Royal Bank of Scotland, Citizens Financial Group
Categories: Intrusion, RBS WorldPay, Royal Bank of Scotland, Citizens Financial Group
Posts Atom 1.0
Ain't this an interesting situation? I watched a couple of videos from Washington University on ingenious ways criminal had come up with for cracking codes,evading or bypassing security, etc, and was so fascinated by it, I decided I had to know more about this subject. That is why I recently inquired about what it would take to get to the level of your knowledge etc. regarding security matters. The law does not hold any fascination for me and never really has; it was just better than digging ditches when I graduated college when I graduated college with a BBA in accounting from the U of M(then Memphis State where I had 2 uncles who were accounting professors) and there were no accounting jobs for 20 year olds who played in punk guitar bands and had waist length hair. I should have been working for NASA except my high school counselors had all said I was a psychopath. I was valedictorian at 16 (never made a b), scored a perfect score on the ACT, etc. and still did not receive one dime of scholarship money. So I just decided to go to law school. Criminal trials are sometime interesting, but it is more a "manu a manu" thing, rather than a "man v. the entirety of knowledge that exists, known or unknown thing", which is what really floats my boat. See you later, as usual, I am time challenged.
Reply to this