A payment processor is in the process of identifying the extent of damage caused by a malicious program discovered in its systems exposing credit and debit card numbers.
MasterCard and Visa are issuing information to banks and credit unions about credit and debit card accounts that were exposed in the data security breach of a second payment processor in less than two months.
The Pennsylvania Credit Union Association and the Tuscaloosa, Ala. VA Federal Credit Union posted messages on their websites explaining that a breach investigation is ongoing. Both Visa and MasterCard are declining to name the processor while a forensics team investigates the breach. Investigators are also trying to find a link between the latest breach and the recently announced Heartland Payment Systems breach, a credit union official said under condition of anonymity.
Visa began releasing information to banks and credit unions about affected accounts on Feb. 9. A vulnerability left potentially thousands of credit and debit card numbers exposed for a period between February 2008 through January 2009, according to an alert issued by the Tuscaloosa VA Federal Credit Union.
"We have not been notified that any of our cardholders have fraudulent activity due to this compromise," the message stated. "While it has been confirmed that malicious software was placed on the processor's platform, there is no forensic evidence that accounts were viewed or taken by the hackers."
Credit union officials said it appears the breach is not as serious as the Heartland breach. Heartland announced Jan. 20 that its systems were compromised by a hacker in 2008. The breach forced hundreds of banks and credit unions to replace thousands of credit and debit cards. In the latest breach, only account numbers and expiration dates were exposed and it's unclear whether the exposed data was even accessed by a hacker.
The Pennsylvania Credit Union Association is advising its member credit unions to wait for further information before reissuing credit and debit cards. A person within that organization said that it comes down to the risk each individual credit union is willing to accept. Customers would not be responsible for fraudulent use of their credit or debit cards.