Breach Exposes 19,000 Active US, UK Credit Cards

pnorth writes "A defunct payment gateway has exposed as many as 19,000 credit card numbers of US and UK consumers in a major worldwide breach. The data, held in Google cache, includes credit card numbers, CVVs, expiry dates, names and addresses. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of e-commerce sites that have become victims of the breach. They include clothing, science, health, sports and photo imaging stores. The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone."

Cashless Society

[Anenome]

It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society. That is, we will have to have solved this problem, by and large, of card theft and purchase fraud.

I know that the card companies have been working on a method of reducing fraud by doing something like linking your card to your phone and texting you for verification when they detect suspicious activity. Or perhaps requiring you to send your picture back to them or something as a verification.

The person who can create a secondary verification system like that will make a lot of money by solving the great problem that is card-fraud.

Re:Cashless Society

[gzipped_tar]

Here in China, not only is cash on delivery very common, but also the option of debit card on delivery. Last time I ordered a wireless NIC, it was carried to my door by a postman with a frickin' mobile debit card reader. I swept the card through the reader, checked the sums, entered my password and it was done.

Debit cards are much safer -- you'll always need to enter the password to draw money from your account.

Re:I hardly think there's an issue with Google.

[Sockatume]

From the sounds of things, I reckon the gateway was creating a web page for every transaction that included the card details, and those pages were not only unsecured and publicly viewable but indexable. They probably auto-deleted the pages after the transaction was completed but obviously not quick enough. GCache? It's probably all in the internet archive at this stage. It's not a Google issue, it's staggering security error on the part of the gateway that every internet crawler saw. No wonder the gateway's defunct.

Internet Finance

[unlametheweak]

The only time I "buy" anything on the Internet is when or if the company has a 1-800 number so that I can place an order over the phone. Same with banking, which I do over the phone or at an ATM that I know. It's too easy for things to go wrong over the Internet, and too many incompetents that are running businesses (on the Internet).

Re:Internet Finance

Yes, but more frequently the sales people on the end of the phone are using the same web-based system as is on the internet. I even went into an electrical store the other day and the customer service chap went onto a website to check stock.

Just because you're not buying over the internet, doesn't mean there isn't a computer system somewhere storing details you didn't expect in a place you didn't expect...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Whirlpool thread

[pallmall1]

This was first mentioned on Whirlpool, I was reading the thread. It appears to be deleted now however

Ironically, the Whirlpool page is still available in the google cache of the thread.

What I want to know is why the CVV numbers were there and for what merchants, as they are not supposed to be cached according to the Payment Application Data Security Standard (PA-DSS).