GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Data breaches, more than bad publicity


Industry Update

Insuring against compromise

Negotiating the economic currents

U.S. court trims AmEx's clause

ACH network gets more mobile


GS Advisory Board:
Challenge breeds opportunity - Part I

PCI Compliance for Dummies

Sumedh Thakar and Terry Ramos

Standing together against online fraud

And the nominations are

Selling Prepaid

Prepaid in brief

eCommLink refocuses, targets global remittance

Data breach leads to payroll card fraud

Event Innovation Inc.
Stored value - That's the ticket


Coming in from the cold at NEAA

Patti Murphy
The Takoma Group

The HMS odyssey

Ken Musante
Moneris Solutions Inc.


Street SmartsSM:
Rules by which to thrive, not dive

Jason Felts
Advanced Merchant Services Inc.

How to write right

Nancy Drexler
SignaPay Ltd.

Dead-on delegation

Vicki M. Daughdrill
Small Business Resources LLC

Keep an eye on the store

Adam Atlas
Attorney at Law

The lowdown on downloads

Dale S. Laszig
DSL Direct LLC

Company Profile

TransFirst Holdings Inc.

MicroBilt Corp.

New Products

Giving salons, spas the Midas touch

TouchSuite Salon POS
Company: Invenstar LLC

RDC, scanner tandem for small merchants

Jack Henry & Associates Inc.


Cut back without cutting out



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

February 23, 2009  •  Issue 09:02:02

previous next

Data breach leads to payroll card fraud

A cardholder data breach at prepaid card issuer and processor RBS WorldPay Inc. has reportedly resulted in an ATM scam that netted fraudsters $9 million. While RBS said 1.5 million open-loop gift and payroll card numbers were compromised in the breach discovered by the company in November 2008, only 100 of the card numbers - all from payroll accounts - were allegedly used in the scam.

Apparently, the fraudsters cloned the card numbers onto fake cards and hit over 100 ATMs in a coordinated attack that spanned cities in the United States, Canada, Russia and Asia. The FBI reported that at least two "cashers" withdrew funds from ATMs in the Atlanta area. Additional suspects were captured on video surveillance cameras at three different bank ATMs in Chicago.

In the wake of the breach, RBS said it had "urgently taken a number of important steps to mitigate risk in response to this situation." RBS said, among those steps, PIN numbers on compromised accounts were reset, in-store gift cards that correlated to card numbers stolen were taken off retailers' shelves and deactivated, and RBS hired outside security experts to work with its own internal team to bolster RBS' system defenses.

An RBS spokesman said RBS is continuing to work with law enforcement agencies on the investigation into the breach. RBS is also providing one year of free credit monitoring to prevent identity theft for those cardholders whose Social Security numbers were stolen along with the card numbers, which amounted to possibly 1.1 million out of the total 1.5 million cardholders affected.


The spokesman pointed out that RBS is a global business and only RBS' U.S. open-loop gift and payroll card system was compromised in the breach. Additionally, the spokesman said the extent of the actual fraud that occurred was limited to the 100 payroll cards. But that fact didn't stop a class action lawsuit from being filed against RBS on Jan. 6, 2009, in the U.S. District Court, Northern District of Georgia.

The suit alleges RBS failed to "adequately safeguard" the cardholder data that was stolen. The suit also states RBS "waited approximately 43 days to publically announce the breach." That announcement came on Dec. 23, 2008, which meant, according to the suit, that "RBS delayed announcing the breach until the end of the busy holiday shopping season, a period when heavy sales of gift cards occur."

Furthermore, the suit also claims RBS' one year of free credit monitoring is "inadequate," since "identity thieves often do not use the stolen data for lengthy periods of time, waiting for victims to become lax in monitoring their accounts." The RBS spokesman could not comment on the allegations contained in the suit but said RBS was on Visa Inc.'s list of Payment Card Industry Data Security Standard-compliant businesses at the time of the data breach.

For more stories from SellingPrepaid E-Magazine, as well as breaking news and forums devoted to the prepaid sphere, please visit

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios