Complain about a product or service

Visa Admits To Problem In Mysterious Data Breach

By Martin H. Bosworth
ConsumerAffairs.com

April 8, 2005

Data Theft • Supermarket Chain Reports Data Breach • Report: Feds Still Not Doing Enough To Secure Data • Data Thieves Hit Georgetown University Students, Faculty • 800,000 Job Seekers At Risk In Gap Data Breach • TJX Data Breach Settlement Has Strings Attached • More ...

Several months after a massive data breach involving hundreds of Visa-branded credit and debit cards came to public attention, the card issuer has finally admitted that there was a problem with its ATM network that led to the breach.

The Associated Press reported on June 20th that Visa claimed a problem with an unidentified contractor that processed credit card transactions led to the exposure of cardholder information.

The statement was made in response to inquiries relating to the Wachovia corporation's recent recall of an untold number of Visa-brand debit cards belonging to its customers.

Neither Visa nor Wachovia would provide any information about the recall, the breach, or the contracting company. Visa spokespeople did not offer clarification as to why it took them nearly six months to acknowledge the incident.

The data breach was first brought to public attention in February by network security consultant Jacob Appelbaum. Appelbaum had been traveling overseas and was trying to withdraw money from his Citibank account, only to find his ATM card had been disabled without explanation.

Many potential suspects and theories were tossed about in what security analyst Avivah Litan called "the worst hack ever."

The most commonly accepted theory -- one which Visa indirectly substantiated -- was that a third-party payment processing company was holding on to data linked to a cardholder's Personal Identification Number (PIN), the four-digit number you use to verify your identity when making debit transactions.

The breach came when enterprising hackers may have stolen the PIN data and linked it to "fake" debit cards, using actual customer information to withdraw money from their accounts.

At the time, Litan said in her report for the Gartner research firm that the repercussions were not over: "The banks are only halfway through this latest scam…[This] will continue to affect large numbers of cardholders."

To date, no individual or group of individuals have come forward claiming responsibility for the data breach, though scam-fighting blog the Consumerist received comments from a "John Dillinger," who claimed to be involved.

"Dillinger" claimed that he himself never participated in the hack, and that what he did was credit card fraud, as opposed to genuine identity theft.

"Getting your identity used to obtain goods and services is way worse then your credit card getting used," he said. "There is no such thing as an ethical hacker! A hacker is a hacker and it's still illegal. Big business like banks make out in the long run wile the consumer eats it in the end."

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |