A hacker stole credit card data because a payments company didn't encrypt all its sensitive files
A company responsible for transferring credit card information between merchants and payment processors has warned that hackers have been able to steal some of that data -- including the card's number, expiration date, and verification code -- from its networks.
Charge Anywhere, the company affected by the hack, says the attacker had the ability to intercept the payment authorization requests ferrying that data since November 2009. It claims this ability was only exercised between August 17 and September 24 of this year.
The interception of those requests leaves an unknown number of cardholders at risk, and it's at least partly because Charge Anywhere didn't encrypt every request on its network, allowing the hacker to collect credit card information from intercepted requests.
"Much of the outbound traffic was encrypted," the company said in the statement that made the hack public on Tuesday. "However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests." Whoops.
Charge Anywhere claims to have identified the retailers affected by the hack, and it has advised cardholders to check to see if they shopped at an affected retailer during the one-month window when the hack occurred, courtesy of a searchable database on its website.
Having that database available is better than nothing, but it also requires consumers to think of every retailer from which they might have purchased something between August and September. It would've been better for Charge Anywhere to have listed the retailers; at least then consumers would have something to help remind them where they shopped.
That list has been made available to credit card companies and processors, however, and Charge Anywhere has also told the banks whose customers were affected by the hack to monitor certain accounts, according to the statement the company released on Tuesday.
Charge Anywhere also claims to have been "working with computer security firms to further strengthen our security measures" after it "completely eradicated the malware from our systems." It's unclear if those strengthened security measures will include the encryption of all payment authorization requests ferried along the company's network, or if it will continue to transfer such sensitive information via plain text files which can be read by anyone capable of intercepting the authorizations as they are transferred.