E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants

Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


Hacker hid data on 485,000 cards on U.S. agency's Web site

Source: MSNBC

Posted on March 17, 2000

      In the largest known case of cybertheft, a computer intruder stole information on more than 485,000 credit cards from an e-commerce site and then secretly stored the massive database on a U.S. government agency's Web site, MSNBC has learned. Credit card companies notified financial institutions, but many of the compromised accounts remain open to this day because the banks neither closed them nor notified customers of the theft.

      The heist occurred in January 1999, but only a few details have previously been made public.

      The scope of the crime emerged in a letter dated Dec. 27 from Visa USA to member financial institutions. Jim Macken, a Secret Service spokesman, confirmed that the incident had occurred and added some details in an interview on Thursday.

      The Visa letter, a copy of which was provided to MSNBC by a source in the banking industry, quotes federal authorities as saying that the credit card information - including expiration dates and cardholder names and addresses - was stolen from an Internet retail site by a hacker.

      It said the store of data on Visa, MasterCard, American Express and Discover cards was discovered on an unspecified government computer system during an audit. The letter did not say when the stolen data was found, but Macken said it was discovered before March 1999 on the Web site of a U.S. government agency, which he declined to identify. "This government Web administrator noticed that a lot of the memory was chewed up for no reason, so he checked and found the file (containing the stolen data)," he said. There was no evidence that any of the cards were used to commit fraud and some of the accounts were not active, Macken added.

      The letter said that authorities had not identified the thief, but Macken said investigators have since traced the criminal to Eastern Europe. The investigation is ongoing and involves diplomatic contacts with the country in question, he said.

      The Internet retail site from which the data was stolen has also since been identified, but Macken declined to name it.

      It was unclear why the thief hacked the government Web site and stored the data there, Macken said, though he allowed that the act might have been the online equivalent of thumbing one's nose at U.S. authorities. As MSNBC reported last week, U.S. authorities have so far been stymied in their attempts to prosecute credit card thieves and fraud rings based in the former Soviet bloc nations and Asia.

      Secret Service officials testified about some details of the case before Congress early last year to demonstrate the peril that computer hackers pose to online commerce, Macken said. Their comments generated little coverage, however, and the scope of the case is only now becoming clear.

      The copy of the letter from Visa was obtained by MSNBC from an employee at the Navy Federal Credit Union, in Merrifield, Va., the world's largest credit union with 19 million members. The letter was provided, the source said, to highlight the fact that some financial institutions are failing to act to protect consumers when there is evidence that their credit card information has been stolen.

      Officials at the credit union took no action to warn customers whose account numbers were among those stolen by the hacker, said the source, who spoke on condition of anonymity. Instead, they ordered a "spot check" of 50 to 100 accounts and then decided that no further action was necessary, the source said.

      The source said the same procedure was followed two weeks later, when Visa alerted the institution of the theft of data on 300,000 credit cards from the CD Universe Web site - the biggest theft of credit card data over the Internet that previously had been made public.

      "It was decided that ... it would be too much of an inconvenience and too costly to shut down the accounts and issue new numbers," said the source. "It was deemed not the credit union's responsibility."

      The credit union source said that fraudulent charges have subsequently appeared on some of the accounts that were compromised, though it is impossible to definitively link the fraud to the theft.

      A spokeswoman for the credit union did not return calls Thursday seeking comment.

      Calls to American Express and a half dozen major banks seeking information on their response when notified of the theft also were not returned.

      Scott Lynch, a spokesman for Visa USA, said he could not comment on the case. Nor would he explain why Visa didn't notify its members of the theft until December.

      Alicia Zatkowski, a spokeswoman for Discover Financial Services, said the firm's fraud investigators were not aware of such a case. Vincent DeLuca, vice president of fraud control at MasterCard International, said, "We are aware of some cases but we're not at liberty to talk about any ongoing investigations." Several financial institutions ordered the wholesale closure and replacement of cards that were compromised in the CD Universe case, which also remains under investigation. Such across-the-board replacement programs were well publicized in an effort to assure online consumers.

      Banks and credit card companies often point out that consumers are responsible only for the first $50 of fraudulent online purchases - and that is nearly always waived.

      But stolen credit card information can be used to commit fraud against unsuspecting Internet merchants, who in most cases bear the cost of the crime, or for identity theft - a practice in which criminals use personal data to obtain new credit, borrow money or make big-ticket purchases.

      The US Treasury Department on Wednesday held a two-day national summit on identity theft to focus attention on what Treasury Secretary Lawrence Summers described as "a growing and major criminal threat."

      At the session, victims said that while they did not ultimately have to pay for the losses run up in their names, identity theft is by no means a victimless crime.

      "It has been sheer hell, and I do mean hell," said Darlene Zele, a Rhode Island hospital worker who one of the victims who testified about years of struggling to repair the havoc wrought on their credit records. "At this point, after five years, it's still not over."

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.