The Green Sheet Online Edition
February 23, 2009 • Issue 09:02:02
Data breach leads to payroll card fraud
A cardholder data breach at prepaid card issuer and processor RBS WorldPay Inc. has reportedly resulted in an ATM scam that netted fraudsters $9 million. While RBS said 1.5 million open-loop gift and payroll card numbers were compromised in the breach discovered by the company in November 2008, only 100 of the card numbers - all from payroll accounts - were allegedly used in the scam.
Apparently, the fraudsters cloned the card numbers onto fake cards and hit over 100 ATMs in a coordinated attack that spanned cities in the United States, Canada, Russia and Asia. The FBI reported that at least two "cashers" withdrew funds from ATMs in the Atlanta area. Additional suspects were captured on video surveillance cameras at three different bank ATMs in Chicago.
In the wake of the breach, RBS said it had "urgently taken a number of important steps to mitigate risk in response to this situation." RBS said, among those steps, PIN numbers on compromised accounts were reset, in-store gift cards that correlated to card numbers stolen were taken off retailers' shelves and deactivated, and RBS hired outside security experts to work with its own internal team to bolster RBS' system defenses.
An RBS spokesman said RBS is continuing to work with law enforcement agencies on the investigation into the breach. RBS is also providing one year of free credit monitoring to prevent identity theft for those cardholders whose Social Security numbers were stolen along with the card numbers, which amounted to possibly 1.1 million out of the total 1.5 million cardholders affected.
The spokesman pointed out that RBS is a global business and only RBS' U.S. open-loop gift and payroll card system was compromised in the breach. Additionally, the spokesman said the extent of the actual fraud that occurred was limited to the 100 payroll cards. But that fact didn't stop a class action lawsuit from being filed against RBS on Jan. 6, 2009, in the U.S. District Court, Northern District of Georgia.
The suit alleges RBS failed to "adequately safeguard" the cardholder data that was stolen. The suit also states RBS "waited approximately 43 days to publically announce the breach." That announcement came on Dec. 23, 2008, which meant, according to the suit, that "RBS delayed announcing the breach until the end of the busy holiday shopping season, a period when heavy sales of gift cards occur."
Furthermore, the suit also claims RBS' one year of free credit monitoring is "inadequate," since "identity thieves often do not use the stolen data for lengthy periods of time, waiting for victims to become lax in monitoring their accounts." The RBS spokesman could not comment on the allegations contained in the suit but said RBS was on Visa Inc.'s list of Payment Card Industry Data Security Standard-compliant businesses at the time of the data breach.
For more stories from SellingPrepaid E-Magazine, as well as breaking news and forums devoted to the prepaid sphere, please visit
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.