Databases at online credit card processing and security provider Anacom Communications were illegally accessed this week, Anacom’s parent company ZixIt Corporation confirmed Thursday.
ZixIt said that it took control of the entire Anacom premises and began forensic data analysis on the breach Monday night. In addition, the company said, the U.S. Federal Bureau of Investigation (FBI) was brought in to begin a criminal inquiry.
ZixIt director of corporate communications Paul LaBelle told the E-Commerce Times that ZixIt was informed earlier in the week that fraudulent transactions were taking place using the merchant accounts on the Anacom network.
“We pulled the plug and immediately informed all the merchants and the credit card associations they would have to use services from other providers in the interim,” LaBelle said.
Lots of Questions
On Wednesday, outside forensic data experts officially confirmed that both the intrusions and fraudulent transaction processing had occurred. ZixIt management said it has started the process of notifying credit-card companies about the accounts that may have been improperly accessed.
LaBelle said that ZixIt did not yet have any information regarding the outcome of the investigation, such as how long the accounts were exposed or how the breach occurred. ZixIt also said the breach did not involve any of ZixIt’s own data centers or e-mail technologies.
Anacom is the developer and owner of the WebCharge, WebCheck and Internet Fraud Screening (IFS) payment processing gateways and technologies, according to several Web sites that use its services.
Anacom’s merchant account application, e-ZStart, contains multiple Internet fraud filters that each credit card must pass through prior to approval of a transaction. These filters include a negative credit-card database, a fraudulent Internet protocol (IP) and e-mail address filter, and proprietary data encryption.
Visits to Anacom.com throughout the day found the Web site unavailable.
Although online breaches of security are taken seriously by consumers, corporations and law enforcement, the frequency of actual online credit-card fraud is greatly exaggerated, according to a recent report from Jupiter Media Metrix.
The Jupiter report said that attention focused on online security incidents has led consumers to erroneously believe that fraud is approximately 12 times more prevalent on the Internet than off, which is not the case.
In order to reduce misunderstanding about the risks of online fraud, Jupiter recommends that companies classify security incidents, such as the Anacom occurrence, into one of three levels of severity: threat, breach and fraud.
Based on the initial reports from ZixIt, it appears the Anacom incident might fit into the fraud category, which is defined as a situation in which security is compromised, unauthorized access to private records has occurred, and there has been actual misuse of the credit data.
We are one of the customers of Anacom who has been greatly affected by this matter. Many of the transactions that were run through the Anacom system never went through the settlement process at all. Thousands of dollars of merchandise was shipped based on Anacom credit card approvals. We are still struggling with this issue and trying to find ways of recovering our money. Zixit Corporation, Anacom’s parent company is being completely and totally unhelpful in assisting us in recovering data on file in order to assist us and is un responsive when the FBI case number and the name of the FBI Agent in Charge of the case that they themselves claim they initiated. A press release was issued by our company outlining our problem and future press releases are scheduled as the case and matter get older.
It truly AM azes me that a company whos sole purpose in life is to offer and Internet security to such organizations as Yahoo, does nothing to fix the problems created by themselves and fails to answer when inquiries are made.
To date, we estimate our losses to be in the neighborhood of $30,000.00
Any interested parties are free to contact me to discuss this issue.
As one of those whose card was taken, I’ve toyed with the idea of pursuing legal action, if it’s even something I can do. My card was my primary bankcard [I have no other cards to my name] so it was frustrating to hear the news. I’ve been without a functioning credit/debit card for over a week now as I have to wait for my bank to issue a new one. It’s quite an annoying inconvenience.
I AM a news reporter looking to write about this screw-up. Please contact me at [email protected]
I hope that those whose credit card data has been released take legal action. This is the only way to drive home the need for strong data security. Call your lawyers and get some walk-around money.
Would IDS have prevented this or was IDS the tool that allowed the company to see they were compromised?