Western Union data heist: 'Human error'

No sheriff to stop this robbery. Days after it adds new e-commerce services, Western Union discovers 15,700 credit card numbers stolen by online thieves.

Perhaps the Wild, Wild West was safer.

Western Union, arguably the oldest e-commerce company in the country, has fallen prey to the newest digital threat -- a database thief.

Over the weekend, the company -- established in 1871 to transfer money by telegraph -- discovered that electronic thieves made off with the names of some 15,700 customers who had used their credit cards to transfer money, according to published reports.

"The (system administrators) had been in the system doing maintenance and left the (database) file unprotected," said Pete Ziverts, vice president of corporate communications for the Englewood, Colo.-based company. "The people that illegally broke into the system found that file."

Calling the breach "human error," Ziverts said that while 15,700 credit cards could be open to misuse, the actual number stolen may be much smaller. "We know it's not more than that; it could be less."

The electronic heist happened three months after the company launched a service that allows customers to send money to Western Union locations via an online transaction that charges their credit card.

Last week, Western Union launched its MoneyZap person-to-person Internet payment service and eight days ago the company's PayCash Internet payment system started accepting orders. Neither of those services was affected by the robbery.

On Monday, the WesternUnion.com site could not be accessed from the Web. Ziverts said the company hoped to have the site back up by Tuesday.

Its parent company, First Data (fdc), provides much of the financial services backbone used to secure electronic-funds transfers to 75 percent of the world and provides card-issuer services for 1,400 financial institutions and 343 million consumers worldwide.

One security expert praised Western Union's handling of an unpleasant situation.

"I'm not inclined to beat them up too much, because they went public with the information," said David Kennedy, director of research services for security information provider ICSA.net.

"They came out with their problem -- and did it sooner rather than later. For that, they are a poster child for what to do right, in my mind."

Doing the right thing is not easy, said Western Union's Ziverts. "It was a hard decision, but we wanted to do the best thing," he said, adding that the company started contacting its customers on Saturday by telephone and e-mail.

"We believe that is the most aggressive step we could take to protect our customers," he said. "The second step is to make sure it doesn't happen again."

Currently, he said, Western Union is working with unnamed law enforcement officials to track down the thieves.

Other companies have not been so forthcoming in disclosing e-security breakdowns.

When digital thieves broke into CDUniverse's servers and stole almost 300,000 credit card numbers, the company and credit card corporations Visa International and MasterCard International decided against informing their customers about the loss.

Because Western Union has been quick to resolve the problem, Kennedy doubted any legal action would result.

"I don't think there is a grounds for a lawsuit unless there is some widespread fraud on these card numbers," he said. "You have 15,700 people that will have to change credit card numbers. It's inconvenience and not worth that much."

It's only a matter of time, said the researcher, before an e-commerce company's lack of security results in a liability lawsuit.

"In some ways, I wish there would be a big suit where someone gets hammered because, as security professionals, it would help us do our job. But I don't see (Western Union) being that suit."


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All