A New Case of a Data Breach and it does not Involve a Retailer

Why can’t the $100 billion security industry stop hackers? We have witnessed data breaches affect thousands of stores of retailers like Target Home Depot, Dairy Queen, Michaels, Neiman Marcus, Kmart, Supervalu, Albertsons and many others. But it’s not just retailers who are facing flak for being the victim of leakage of sensitive payment information. A recent case highlights Charge Anywhere, a provider of electronic payment gateway solutions to retailers and other merchants. The company recently reported that its system was infiltrated five years ago, affecting unencrypted payment card data.

As of now, the company has assured that the attack has been shut down and is being fully invested. Ongoing investigations have revealed that the data breach was caused by a malware that the installed anti-virus system failed to detect. The company has hired a computer security firm to upgrade its security measures and trace how the malware affected the system. The malware had actually affected the outbound network traffic and captured some segments.

The leaked data includes cardholder’s name and account number as well as expiration date and verification code. Payments cards used between November 5, 2009 and September 24, 2014 have been affected. The case of Charge Anywhere shows that retailers should perform a crucial activity of researching into the security of their payment providers. Retailers ought to make it a habit to check security habits of their payment vendors, raise queries on security controls and request audit reports and proof of compliance as well.

This also illustrates the importance for payment processors to fully encrypt sensitive data flowing through their networks. In an official notice, Charge Anywhere has instructed cardholders to review their account statements for any unauthorized activity regularly. The company has also assured the merchants that the issue did not affect any system or device at merchant locations, nor did it affect the systems of any ISO, processor, or other service providers.

Charge Anywhere is also working with the credit card companies and processors to provide them with a list of merchants and the account numbers for cards used during the period at issue so that the banks that issued those cards can be alerted. If banks receive these alerts, they can conduct heightened monitoring of transactions to detect and prevent unauthorized charges.