RBS WorldPay Breach Rings Alarm Bells About Acquirer Security

The latest data-breach battleground has shifted to merchant-acquiring and prepaid card territory. Atlanta-based RBS WorldPay, a big acquirer owned by the Royal Bank of Scotland Group that also provides prepaid card programs, late Tuesday afternoon reported a breach of its computer system that may have compromised personal information on about 1.5 million cardholders, including the Social Security numbers of 1.1 million consumers. The data leak affected prepaid cardholders “and other individuals,” RBS said in a news release, but the company didn't give a breakdown other than to say the cardholders held payroll and open-loop gift cards. “Personal information associated with certain payroll cards may have been improperly accessed,” the release says. “PINs for all PIN-enabled cards have been or are being reset.” Actual fraud to date involves only 100 cards. The company did not give a loss figure. Formerly known as RBS Lynk, RBS WorldPay said it discovered the breach Nov. 10 and notified law-enforcement agencies and banking regulators “shortly thereafter,” according the release. But the company didn't say why it waited until Dec. 23 to report the breach publicly. Spokespersons did not return calls from Digital Transactions News. Nor did the news release say how the breach happened or when it began. “RBS WorldPay has urgently taken a number of important steps to mitigate risk in response to this situation,” the release says without giving details. RBS WorldPay said it has notified affected cardholders and posted information on its Web site. This latest breach represents yet another worrisome development in the payment card industry's unending war with computer intruders. While most of the attention in the past two years has focused on retailers' lapses in securing credit and debit card data, the RBS WorldPay breach serves as a reminder of how hackers can penetrate the computer systems of a major acquirer and processor. “It's very bad news,” says Avivah Litan, a technology and security analyst with Stamford, Conn.-based Gartner Inc. She notes that unlike retailers' computer systems, processors' systems connect directly to the networks of Visa Inc. and MasterCard Inc. “An attacker that breaks into a processor conceivably can get into the heart of the system,” she says, adding that a fraud-intelligence executive at a Gartner client company recently told her that attacks on acquirers and processors are increasing. Another question raised by the breach is whether the Payment Card Industry data-security standard, or PCI, is adequate to protect acquirers/processors. While many merchants, especially small ones, don't yet meet the PCI rules set down by the PCI Security Standards Council and enforced by the card networks, acquirers enforce the rules with their individual merchant clients and presumably are compliant themselves, Litan notes. She did not have information about the status of RBS WorldPay's PCI compliance. RBS WorldPay said it has called on outside experts as well as its own security professionals to investigate the breach. Those personnel are working with federal and state investigators. In the release, Ben Barone, RBS WorldPay president and chief executive, said his company “is working closely with leading computer security firms to further safeguard our system.” Barone also said “we regret any inconvenience this may cause affected individuals. We have taken important, immediate steps to mitigate risk and none of the affected cardholders will be responsible for unauthorized activity on their account resulting from this situation.” RBS WorldPay is offering individuals whose Social Security numbers were compromised free, one-year subscriptions to a credit-monitoring service. Gift cards that have already been purchased retain their value and can be used wherever merchants accept them. Those gift cards that had not been purchased have been deactivated and are being removed for destruction from stores as an additional precaution, RBS said.