RBS WorldPay Rocked by ATM Fraud As New CEO Takes the Helm

A new chief executive has taken over at merchant processor RBS WorldPay Inc. just as news erupted this week of a major worldwide ATM fraud that relied on card data stolen from the processor's system last year. Ian Stuttard took the helm of the Atlanta-based company, a unit of Royal Bank of Scotland Group, on Monday, succeeding Ben Barone, a former Home Depot Inc. executive who served as president and chief executive. An RBS WorldPay spokesperson would say only that Barone left “to pursue other interests outside the organization. Stuttard is the fourth chief executive at what is now RBS WorldPay since founder and chief executive Ed Uzialko left about six months after RBS bought Lynk Systems for $525 million in 2004, according to a source familiar with the company. Meanwhile, the Federal Bureau of Investigation is seeking the perpetrators of an apparently massive ATM fraud in which dozens of persons used cards cloned with payroll card data hackers obtained by breaking into RBS WorldPay's computers. In the breach, which the company discovered Nov. 10 and announced two days before Christmas (Digital Transactions News, Dec. 23, 2008), the intruders gained access to information linked to some 1.5 million gift card and payroll card accounts, including Social Security Numbers for 1.3 million people. The processor said in its announcement that it reset all PINs on PIN-protected cards. According to the FBI and press accounts published this week, the fraud ring used some of the payroll card data to clone some 100 cards they then used to siphon cash out of the associated payroll accounts. Attributing its information to both the FBI and other “law-enforcement sources,” Fox 5 in New York reported on Tuesday that the ring pulled $9 million out of more than 130 ATMs in some 49 cities around the world over a 30-minute period just after midnight Eastern time on Nov. 8. The news report said the high-stakes looting was possible because the hackers had been able to manipulate the programming on the payroll accounts to allow for higher daily withdrawal limits than are typically imposed on ATM transactions. They were then able to hire low-level compatriots, known as “cashers,” to make the withdrawals, the report said. Still, to pull $9 million out of ATMs with just 100 cards in just 30 minutes, the cashers would have had to work at a furious pace, averaging some $90,000 per card, or $3,000 in withdrawals per minute. That strikes some observers as an improbable feat. “No, I don't see how,” says Brent Watters, a senior analyst at Mercator Advisory Group who follows the prepaid card market. “That seems highly unlikely. Either the card number is low or [the dollar figure] is being misreported.” Asked by Digital Transactions News about the possibility that more than 100 cards may have been cloned, an RBS WorldPay spokesperson refused to comment. “Given the investigation, there is a limit to what we can talk about,” he said. Contacted by Digital Transactions News, special agent Steve Lazarus in the FBI's Atlanta field office refused to confirm the details of the Fox 5 report, saying only that the fraudsters in the case form “a nationwide network, very extensive, and very computer-savvy.” Lazarus said the FBI released photos from surveillance video showing some of the cashers in action in the hopes that members of the public might help identify them. With respect to the dollar figure given in news reports or other details, Lazarus says only that “we don't comment on pending investigations.” Watters says there should be little or no impact from the fraud on the growth of prepaid cards used to pay employees. Maynard, Mass.-based Mercator estimates some 4.2 million payroll cards were issued last year, with a total load value of $15.9 billion, up from $13.6 billion in 2007. That load value should increase to $25 billion by 2011, the research firm says. “Most folks understand this is an isolated case with RBS,” says Watters. “What occurred here is unfortunate, but it's something RBS needs to address.” The cards, he says, are protected by the consumer protections embodied by the Federal Reserve's Regulation E, and losses are borne by the issuing bank. Also this week, news emerged of the first legal action connected with the breach. A Pennsylvania resident named Keith Irwin “and all others similarly situated,” according to a Jan. 6 class-action filing in the U.S. District Court for the Northern District of Georgia, accuses RBS WorldPay of failing to “adequately safeguard Plaintiffs' private personal and financial information from an unauthorized individual.”