Top 9 Breaches of 2009
With the announcement in January of the breach that surpassed the 2005 TJX breach, Heartland Payment Systems leads all of the hacks that hit or affected the financial services industry in 2009.
Here's the chronological list of the biggest breaches of 2009, and updates in the various cases since they were first announced:
1. Heartland Payment Systems
Date: January 20
Records Taken: 130 million credit and debit card account numbers
Heartland Payment Systems announced on Jan. 20 that its network had been breached. The payment processor handles transactions for 250,000 merchants. Subsequently, it was revealed through indictments that 130 million credit/debit cards were compromised by the breach. While the outcome of several class action lawsuits has not been decided yet, the criminal accused of perpetrating the hack, Alberto Gonzalez, of Miami, FL, was indicted in August and is prepared to plead guilty. Financial institutions will watch closely the developments in the class action suits as they move through the courts in 2010.
2. RBS WorldPay
Date: November 2008/February 4, 2009
Records Taken: 1.5 million credit and debit cards
In February 2009 the FBI continued to search for suspects in what was being called a well-orchestrated ATM card scam, when the true extent of RBS WorldPay's hack was revealed. In a news report on February 4, FBI law enforcement said that a network of thieves withdrew $9 million from 130 ATMs in 49 cities around the world just after midnight on November 8 with cloned cards created from stolen data taken in the RBS WorldPay hack. Eight men from Eastern Europe were indicted for the crime in November 2009 and face stiff fines and lengthy jail sentences if convicted.
3. Countrywide Financial
Fort Worth, TX
Date: May 4, 2009
Records Taken: 4,000 account numbers
A man posing as an Air Force reservist seems to have gotten thousands of account numbers from Countrywide Financial in Forth Worth, TX. The investigators tracked the case to his accomplice, a customer service rep. The Air Force impostor stole $500,000.
4. Chase Bank
New York, NY
Date: May 18, 2009
Records Taken: Unknown
Four Romanian men were arrested in Florida after being accused of skimming a Central New York Chase Bank ATMs. Police say several customers who used the ATM at a Chase Bank in Cicero later found cash had been withdrawn from their accounts from ATMs in New York City, totaling about $40,000. A skimmer was found in the card slot of the machine.
5. Network Solutions
Date: June 8, 2009
Records Taken: 573,000 credit and debit cardholders information
A data breach at Internet domain administrator and host Network Solutions compromised personal and financial data for more than 573,000 credit and debit cardholders. To add more pain to the breach, Network Solutions says it was PCI compliant at the time of the breach.
The breach was the result of hackers planting rogue code on the company's Web servers used to host mostly small online stores, intercepting financial transactions between the sites and their customers.
6. American Express
Date: July 7, 2009
Records Taken: Thousands of card numbers
Two Phoenix men are accused of stealing thousands of American Express card numbers and swindling more than $1 million dollars from customers. Police discovered during their investigation that a former employee had not only worked as a computer database analyst for American Express; he was one of the few who could have possibly downloaded all of their account holders information, including the PIN numbers used to access money from ATM machines at the different banks, according to court records.
7. Capitol One Bank
Date: September 6, 2009
Records taken: Unknown number of bank customer accounts
Prosecutors in Minneapolis say between July 2008 and April 2009 a crime ring purchased the personal information of Capitol One Bank customers from an online source in the Ukraine. It says the group then used the information to create counterfeit credit card accounts, withdrawing more than $652,205.49 from more than 170 ATMs throughout the Twin Cities. Eleven people have been charged in the counterfeit credit card scheme, eight of them are in custody.
Date: October 15, 2009
Records Taken: Unknown
PayChoice, a New Jersey-based payroll processor, alerted its online customers on October 15 that its network had been breached for a second time in less than a month. The payroll processing company warned its customers by email about the new breach after some clients reported "phantom" employees showing up on their payrolls.
9. Bank of New York Mellon
New York, NY
Date: October 28, 2009
Records Taken: 150 identities of employees
A computer technician was indicted in New York Supreme Court, charged with stealing the identities of more than 150 Bank of New York Mellon employees and using them to steal more than $1.1 million from charities, non-profit groups and other entities.
Adeniyi Adeyemi, a 27-year-old man from Brooklyn, was charged with grand larceny and identity theft. Prosecutors say Adeyemi worked in the bank's Information Technology Department and committed the crimes between November 2001 and April 30, 2009. He is accused of stealing the identities of dozens of employees and using them to open more than 30 bank and brokerage accounts with several financial institutions including E*Trade, Fidelity, Citi, Wachovia and Washington Mutual.