GTM360 Blog

Official Blog of GTM360 Marketing Solutions

What data breach? Are you talking about the one that happened at Heartland in 2009? Or, maybe the Fidelity one from 2011? Again, no?

Oh, you’re referring to the latest one that led to the arrests in New York of several people who fraudulently withdrew $45M from several ATMs.

By now, it should be obvious what’s different about the latest breach. If not, read on.

High-profile breaches in the past, like the ones that hit Heartland Payment Systems and Fidelity National Information Services, involved theft of payment card information. The current one has gone further and has actually resulted in the loss of money. It’s accordingly known as “$45M ATM heist” than data breach.

Like other past breaches into payment information, this one also began as breaking and entering into the databases of several payment processors – including ElectraCard Services and EnStage – who hold sensitive card information of banking customers. The first B&E into ElectraCard Services happened in December 2012 and the second one involving EnStage, in February 2013. At the time, there was little publicity about these breaches, at least nothing that caught my eye. The real media frenzy began only when the scamsters who used the stolen information to withdraw money from ATMs were apprehended in NYC two weeks ago. In other words, this is one of the rare cases of a high-profile data breach that is directly linked to financial losses.

Like an onion peel, details of the present incident are unraveling day by day. I hope we’ll eventually get answers to the following questions:

  • Where were the PIN and magstripe data stolen from? (According to its statement, it was not from ElectraCard Services)
  • Was the data stolen from inhouse data centers of the payment processors? Or was it located on a “cloud” provided by some third party cloud services companies? Although this might seem irrelevant for a common man, it’s necessary to get into these details so that security professionals can plug the right holes.
  • Between the time the security breaches reportedly happened in December 2012 / February 2013 and the ATM heists  occurred earlier this month, did the banks involved – National Bank of Ras Al-Khaimah PSC and Bank of Muscat – reach out to all the affected cardholders and ask them to change their ATM PIN numbers?
  • How soon were the withdrawal frequencies and limits reset to their original – and correct – values?

I also hope this incident makes it amply clear to regulators that large scale frauds happen as a result of breaches into payment processors’ systems, and not when individual cardholders are shopping online and putting through one-off transactions. Keeping this in mind, they should revisit their present approach of trying to prevent fraud by insisting on cumbersome two-factor authentication for all values of online and mobile payment transactions. Such a procedure adds friction and causes heavy shopping cart abandonment (more on that here) while proving futile when payment information comes under an attack where it’s found in bulk. Instead, regulators should shift their focus to ensuring that payment card information is encrypted and stored absolutely safely. In this context, the CEO of Heartland Payment Systems set the tone by accepting that, when it comes to security levels to be maintained by payment processors, PCI certification is necessary but not sufficient.

Ketharaman Swaminathan On May - 24 - 2013


BFSI, Uncategorized


Related Posts

  • No related posts found
  • Ramesh

    Fidelity was exactly similar with $13 mil heist and RBS worldpay was exactly similar. U need to do homework

  • sketharaman

    This just out:

    “FIS has told Krebs that no clients lost any money as a result of the breach”. On the other hand, EnStage’s CEO admitted, “Our customers were adversely affected by this sophisticated crime.” Further, FIS has said, “it has invested around $100 million over the last two years strengthening its information security and risk position”. I haven’t heard any similar commitments from the payment processors involved in this case. That’s one more reason why this data breach is different.

  • Facebook
  • Linkedin
  • RSS
  • Twitter
  • Youtube
  • See our Pinboard
Enter the video embed code here. Remember to change the size to 300 x 250 in the embed code.


  • GTM360 - Marketing for Midsize IT Companies
  • EMAIL360 Website Lead Generation Widget
  • SAP Mailing List
  • QR360 - Beyond Quick Response Codes

Switch to our mobile site

Enter your email to sign up for GTM360 Blog: