IMGCAP(1)]
Evidence of another breach at a U.S. transaction processor surfaced in recent days as a credit union and a credit-union association separately posted alerts about a card-not-present breach unrelated to the Heartland Payment Systems Inc. breach (CardLine, 1/20). The Tuscaloosa (Ala.) VA Federal Credit Union says on its Web site that another "U.S. acquirer-processor has confirmed a network intrusion exposing primary card numbers and expiration dates for card-not-present transactions." The credit union says no magnetic stripe data, card-verification codes, PINs or other cardholder-identifying information was exposed. On the Pennsylvania Credit Union Association's Web site, the alert says malicious software was found on the unnamed processor's network, but "there is no forensic evidence that accounts were viewed or taken by hackers." The Harrisburg, Pa.-based association says Visa Inc. and MasterCard Worldwide have indicated the transactions were vulnerable from February 2008 to January 2009. Both card brands began issuing alerts to merchants, acquirers, issuers and law-enforcement agencies the week of Feb. 9, the association says, noting the lack of a final forensic report means no information is available about the number of accounts involved. The association says law-enforcement agencies are investigating but does note which ones. In a statement released to CardLine, MasterCard says it is monitoring the incident and has notified affected issuers. "MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and will take steps to safeguard account information when necessary," the statement says. A Visa statement says the company is aware of the compromise and urges consumers to monitor their accounts for suspicious activity. Neither brand would release more details because the investigation is ongoing. The Open Security Foundation, a Glen Allen, Va.-based nonprofit organization that tracks data breaches, says its research suggests this breach is smaller than the Heartland breach, but with no reliable estimates on the number of accounts compromised in the Heartland incident, a tally is "speculative."
