For a five-hour period in December, customers accessing CheckFree’s electronic bill payment site instead found themselves unknowingly redirected to the worst neighborhood on the Internet—a bogus malware site manned by Ukrainian hackers. That’s the easy part to figure out. According to a notice recently filed by CheckFree parent Fiserv with the New Hampshire attorney general’s office, about 160,000 customers were exposed to the breach. Yet the firm and a number of its banking clients are alerting a whopping five million consumers to possible exposure.

The reason for that 4.84 million-customer gap between estimated and potential exposure is the inability to determine that actual identities of customers redirected to the Ukraine by hackers, requiring the additional notification of clients of banks that outsource their bill payments to CheckFree. CheckFree would not return a request for comment, but the firm’s notification describes the conditions of possible user exposure and instructs customers that may have been affected to reach out to a contact center. The firm is also deploying software from McAfee to identify and remove malware and is offering two years of free credit monitoring.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.