The Green Sheet Online Edition
January 12, 2009 • Issue 09:01:01
RBS staves off hackers
RBS WorldPay, the U.S. payment processing division of The Royal Bank of Scotland Group, reported on Dec. 23, 2008, that its computer system had been improperly accessed by hackers and that the personal, financial information of approximately 1.5 million cardholders may have been affected; of this group, 1.1 million "may have had their Social Security numbers improperly accessed as well," according to an RBS press release.
However, only 100 consumer cards had been fraudulently used before RBS discovered its system had been hacked on Nov. 10, 2008. The company told InternetNews.com that compromised prepaid gift cards still on retailer shelves have been removed and destroyed. Consumers who currently own RBS prepaid cards can continue using them.
But Graham Cluley, senior technology consultant for anti-virus vendor Sophos PLC, suggested the delay in the announcement is suspicious, given that the attack happened more than a month prior to the press release. "I'm sure that, if my confidential information had been compromised, I would want to know about it as soon as possible," Cluley said.
"And I can't help but think that making a public statement just before the holidays might fulfill regulatory requirements, but the fact that they buried the news from reporters and released the information around the holidays tells me they would rather go unnoticed."
RBS notified law enforcement and federal regulators shortly thereafter and immediately took steps to mitigate risks of further thefts. RBS WorldPay's internal security staff and outside security experts are investigating the situation with federal and state authorities.
"Privacy is important to RBS WorldPay, and we regret any inconvenience this may cause affected individuals," said Ben Barone, President and Chief Executive Officer of RBS WorldPay.
"We have taken important and immediate steps to mitigate risk, and none of the affected cardholders will be responsible for unauthorized activity on their account resulting from this situation.
"We are working closely with leading computer security firms to further safeguard our system and with law enforcement agencies to assist them in seeing these criminals brought to justice." RBS WorldPay have notified affected individuals by letter and have offered a free one-year credit monitoring subscription with all three major credit reporting agencies.
Victims will not be held financially liable for the fraudulent withdrawals, a company spokesman said. PIN numbers for all PIN-enabled cards have been reset in order to prevent any future misuse. Assistance information for affected individuals is posted on RBS WorldPay's Web site, www.rbsworldpay.us.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.