Bank sues Savvis over 2005 CardSystems breach

Share this article:
Utah-based Merrick Bank claims to have lost $16 million as a result of a 2005 breach of payment card processor CardSystems Solutions and is now seeking legal restitution from an IT company it hired to audit the processor.

Merrick Bank is suing an information technology firm, Savvis, for negligence in its audit, which deemed the now defunct CardSystems compliant with Visa and MasterCard's card transaction security standards. According to a complaint filed on May 12, 2009 in U.S. District Court, Eastern District of Missouri, before doing business with CardSystems in 2004, Merrick Bank hired Savvis to assess whether the payment processor met Visa and MasterCard's security requirements.

In its audit, Savvis concluded that CardSystems had sufficient security solutions and operated in line with industry best practices. Savvis recommended that CardSystems be recognized as compliant with Visa's Cardholder Information Security Program (CISP), which ensured that payment card processors have a secure network infrastructure in place, and certain security policies and operational procedures are being followed.

Shortly after passing the Savvis audit, CardSystems was listed as CISP-compliant by Visa, and Merrick allowed CardSystems to process transactions.

In 2005, less than a year after being deemed compliant by Savvis, CardSystems experienced a breach in which 40 million accounts were exposed. The breach occurred due to vulnerabilities in the processor's systems, which enabled a malicious hacker to infiltrate CardSystems' network and access cardholder data.

As a result of the breach, Merrick said it has paid out $16 million to Visa and MasterCard, which in turn have paid to issuing banks that suffered fraud as a result of the breach, the complaint states.

“Savvis breached its duty to Merrick by failing to audit CardSystems in a competent and professional manner,” the complaint states.

Merrick's lawsuit charges Savvis with two counts of negligence. Merrick is seeking relief funds from Savvis for an unspecified amount to be determined by the court, if the ruling is in favor of Merrick.

“It is our policy not to comment on litigation,” a Savvis spokesman told SCMagazineUS.com on Thursday.


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.