Major online credit card theft exposed

Hacker hid data on 485,000 cards on US agency's Web site
Written by ZDNet UK, Contributor

In the largest known case of "cybertheft", a computer intruder stole information on more than 485,000 credit cards from an e-commerce site, and then secretly stored the massive database on a US government agency's Web site, ZDNet US has learned. Credit card companies notified financial institutions, but many of the compromised accounts remain open to this day, because the banks neither closed them nor notified customers of the theft.

The heist occurred in January 1999, but only a few details have previously been made public.

The scope of the crime emerged in a letter dated 27 December from Visa USA to member financial institutions. Jim Macken, a secret service spokesman, confirmed that the incident had occurred and added some details in an interview on Thursday.

The Visa letter quotes federal authorities as saying that the credit card information -- including expiration dates and cardholder names and addresses -- was stolen from an Internet retail site by a hacker.

It said the store of data on Visa, MasterCard, American Express and Discover cards was discovered on an unspecified government computer system during an audit. The letter did not say when the stolen data was found, but Macken said it was discovered before March 1999 on the Web site of a US government agency, which he declined to identify. "This government Web administrator noticed that a lot of the memory was chewed up for no reason, so he checked and found the file (containing the stolen data)," he said.

There was no evidence that any of the cards were used to commit fraud and some of the accounts were not active, Macken added.

The letter said that authorities had not identified the thief, but Macken said investigators have since traced the criminal to Eastern Europe. The investigation is ongoing and involves diplomatic contacts with the country in question, he said.

The Internet retail site from which the data was stolen has also since been identified, but Macken declined to name it.

It was unclear why the thief hacked the government Web site and stored the data there, Macken said, although he said the act might have been the online equivalent of thumbing one's nose at US authorities, which have so far been stymied in their attempts to prosecute credit card thieves and fraud rings based in the former Soviet bloc nations and Asia.

Secret service officials testified about some details of the case before Congress early last year to demonstrate the peril computer hackers pose to online commerce, Macken said. Their comments generated little coverage, however, and the scope of the case is only now becoming clear.

Officials at Visa took no action to warn customers whose account numbers were among those stolen by the hacker, said the credit union source, who spoke on condition of anonymity. Instead, they ordered a "spot check" of 50 to 100 accounts and then decided that no further action was necessary, said a source.

The source added that the same procedure was followed two weeks later, when Visa alerted the institution of the theft of data on 300,000 credit cards from the CD Universe Web site -- the biggest theft of credit card data over the Internet that previously had been made public. "It was decided that it would be too much of an inconvenience and too costly to shut down the accounts and issue new numbers," said the source. "It was deemed not the credit union's responsibility."

The credit union source said that fraudulent charges have subsequently appeared on some of the accounts that were compromised, although it is impossible to definitively link the fraud to the theft.

Several financial institutions ordered the wholesale closure and replacement of cards that were compromised in the CD Universe case, which also remains under investigation. Such across-the-board replacement programs were well publicised in an effort to assure online consumers.

Banks and credit card companies often point out that consumers are responsible only for the first $50 (£31) of fraudulent online purchases -- and that is nearly always waived. But stolen credit card information can be used to commit fraud against unsuspecting Internet merchants, which in most cases, bear the cost of the crime, or for identity theft -- a practice where criminals use personal data to obtain new credit, borrow money or make big purchases.

The Treasury Department on Wednesday held a two-day national summit on identity theft to focus attention on what Treasury secretary, Lawrence Summers, described as "a growing and major criminal threat".

At the session, victims said that while they did not ultimately have to pay for the losses run up in their names, identity theft is by no means a victimless crime. "It has been sheer hell, and I do mean hell," said Darlene Zele, a Rhode Island hospital worker who one of the victims. She testified about years of struggling to repair the havoc wrought on their credit records. "At this point, after five years, it's still not over," she said.

The latest criminal hacking scandal has got plenty of e-tailers worried. Tony Westbrook wonders if this means you shouldn't be using your credit card online any more. Go to AnchorDesk UK for the news comment.

Take me to Hackers

What do you think? Tell the Mailroom and read what others have to say.

Editorial standards