A Tale of Two Breaches
Her bank told her that her Visa credit card had been used at a variety of stores, attractions and fast food places in Orlando, and that over $900 worth of charges had been racked up on her card -- all within a few minutes of one another.
Now, cue the ominous music ...
There are only two places that the card information could have been taken, according to Sally: the hotel restaurant's point of sale terminal, or at the processor.
When the bank told her which card number, she realized it was a brand new card that she and her husband had only used once back in mid February 2009 -- at a Radisson Hotel.
This call, mind you, was well ahead of the announcement by Radisson on August 19 that it had been breached at some of its locations in U.S. and Canada.
After the phone call from her bank, Sally re-visited the hotel to inquire about how her credit card may have been compromised. After speaking with the hotel manager, she thought to ask, "Who is your payment processor?" The manager replied, "Heartland." This particular hotel uses Heartland to process payments, although according to Radisson the rest of the chain uses Elavon.
There are only two places that the card information could have been taken, according to Sally: the hotel restaurant's point of sale terminal, or at the processor. "So it's a 50-50 chance that the compromise had to happen at Heartland," Sally says. So far, the investigation by Radisson's forensics experts doesn't show any insider collaboration in the breach. If, indeed the credit card was breached at the payment processor, it happened after the payment processor's Jan. 20 announcement of the discovery of a breach of its systems.
The good news is: U.S. Bank was quick to pick up on the numerous charges and questioned them. Sally says without the phone call, she would not have known about the charges because they didn't even make it onto the bill she received.
Kudos should go out to the bank. It could have been a lot worse for Sally if the bank didn't call.
Her advice to consumers: "The theme of the day is diligence -- making sure you are checking statements and working with companies who take protecting your identity seriously. If it were not for my financial institution spotting this quickly, it would have been a lot worse."
The advice for institutions out there with credit card accounts: Practice due diligence in fraud monitoring, and get a fraud alert capability set up for your customers.
As for payment processors? It's pretty clear that there is a need for comprehensive, continuous monitoring and constant vigilance. Stay alert out there on the front lines; this is a war.