Charge Anywhere, a mobile payments solution provider, is notifying its customers of a cyber attack on its network that exposed plain text payment card transaction authorization requests for up to five years.
How many victims? Undisclosed. Charge Anywhere did not immediately respond to a SCMagazine.com request for the information.
What type of personal information? Cardholder names, account numbers, expiration dates and verification codes.
What happened? An unauthorized party gained access to Charge Anywhere's network and installed malware to capture outbound traffic. Although the traffic was encrypted, Charge Anywhere wrote in a breach notification that the, “format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.” The malware was discovered on September 22, but is thought to have been on the system since as early as November 5, 2009.
What was the response? Charge Anywhere removed the malware and is hosting a page where customers can search to see whether a business is affected. The company is also coordinating with credit card companies and processors to create a list of merchants and the account number of cards
Details: The malware required “extensive forensic investigative efforts” to de-code and determine its capabilities. Files were found that contained captured network traffic from August 17, 2014, through September 24, 2014. This doesn't represent the full scope of the attack, however.
Quote: “CHARGE Anywhere's investigation found malware that had not been previously detected by any anti-virus program,” according to a bulletin on the breach. “The malware was immediately removed and we engaged a leading computer security firm to investigate how the malware was used and work with us to continue to enhance our network security measures.”
Source: chargeanywhere.com, “CHARGE Anywhere Provides Notice of Payment Card Incident,” Dec. 9, 2014