Insidious 'Script' Used To Steal OnlineData

Register now

WASHINGTON - (07/25/05) -- The massive data breach atCardSystems Solutions that jeopardized millions of card accountsaround the country this spring was carried out with the use of acomputer sophisticated computer script, a non-invasive trackingdevice that was implanted in company computers by a remotethird-part computer hacker. In contrast to viruses and worms whichduplicate indiscriminately and tend to destroy computer files, thescript atached itself to specific files at Card Systems andextracted, zipped into a file, and exported the company'sconfidential consumer files to a third-party website. The versionof perhaps the largest breach of online data ever was explained tomembers of Congress last week by CardSystems CEO, John Perry duringhearings before the House Financial Services Committee. Theembattled CEO told lawmakers the script was designed to run on thecompany's system and to run every four days. The invisible scriptwould search the company's computer server for records with trackdata--the data recorded on a card's magnetic stripe--which containsidentifying data. But because the data does not include thecardholder's social security number, company officials believethere is little or no risk of identity theft resulting from themass intrusion of the company's computer systems. The data storedin the files that were exported by the hackers was informationstored from transactions that had not been completed and were beingheld for research purposes, according to Perry. The storage of thetransaction data, which Perry insisted the company has stopped, wasprohibited for third-party processors such as CardSystems under thecard industry's voluntary security rules, known as Payment CardIndustry Data Security Standard, or PCI.

For reprint and licensing requests for this article, click here.