[ISN] Atlanta Company Settles Breach

From: InfoSec News (isn@private)
Date: Thu Feb 23 2006 - 22:51:46 PST


http://www.11alive.com/money/money_article.aspx?storyid=76552

By JENNIFER C. KERR
Associated Press Writer
2/23/2006 

WASHINGTON (AP) -- A data breach that left some 40 million customer
accounts vulnerable to hackers will lead to tighter security measures
to protect millions of credit and debit card users, officials at the
Federal Trade Commission said Thursday.

CardSystems Solutions Inc. has settled charges that the company broke
the law by failing to ensure adequate safeguards for sensitive
customer information. The settlement calls for better safeguards to
protect consumer data.

The FTC could not seek civil penalties under the law it accused
CardSystems of violating.

Atlanta-based CardSystems processed credit card and other payments for
banks and merchants. Last summer, it was disclosed that tens of
millions of mostly MasterCard and Visa accounts were exposed to
possible fraud after a hacker broke into the company's computer
system.

"CardSystems kept information it had no reason to keep and then stored
it in a way that put consumers' financial information at risk," said
FTC Chairman Deborah Platt Majoras.

The company stored information from the magnetic strip of credit and
debit cards -- account numbers, expiration dates, and security codes,
the agency said. The commission also said CardSystems did not have
sufficient passwords to keep a hacker from taking control of its
computer network.

The assets of CardSystems have since been bought by San
Francisco-based Pay By Touch. The settlement requires Pay By Touch to
implement a comprehensive security program and obtain independent
audits every other year for 20 years.

According to evidence gathered in a California case, the hacker was
able to grab enough account information to defraud at least 264,000
customers. Visa and MasterCard maintain that there is little financial
risk to vulnerable accountholders because of their "zero liability"  
policies that reverse all fraudulent charges.

The lawsuit sought an order requiring Visa and MasterCard to send
individual warnings to thousands of consumers whose personal
information was stolen in the breach. But the judge rejected the
request last fall, saying there was no immediate threat of irreparable
harm to consumers.

Copyright 2006 by The Associated Press. All Rights Reserved.



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Feb 23 2006 - 23:12:09 PST