Just in time for Christmas, RBS WorldPay spread some holiday jeer by announcing more than one million customers had their account information compromised by a hacker that got into the payment processor’s computer systems. The institution discovered the breach shortly after Halloween, yet apparently waited almost two months—an eternity in ID theft time—before making a public announcement.
That has some people scratching their heads. “Two months? That’s enough time for someone to go out and apply for a loan under your name, to get a credit card, to mess up your credit. The way to build trust in relationships is with communication,” says Jacob Jegher, an analyst at Celent.
The institution on or around Nov. 10 discovered the breach, and was able to determine that the account information of about 1.5 million people and the Social Security numbers of about 1.1 million had been compromised. It also said about 100 payroll cards had been used in a fraudulent manner, and that those cards had been deactivated. While the institution says it reported the breach to authorities “shortly after” the discovery, there was no public announcement until Dec. 23. In that announcement, the institution assured customers would be protected and said affected customers “had been notified,” though it did not give a timeframe for when it actually notified consumers. Nor did it give the timeframe between the breach’s discovery and its containment.
An RBS Worldpay spokesperson would not comment on the breach, citing the “ongoing investigation.” Jegher says that given the overall public image that financial firms have right now, and the dent in trust that’s been the result, it’s a bad time for a communications malfunction regardless of the institution or the reason. “In this day and age, people want to know their assets are protected, whether it’s the FDIC or the bank itself.”