Breach Exposes 19,000 Active US, UK Credit Cards

pnorth writes "A defunct payment gateway has exposed as many as 19,000 credit card numbers of US and UK consumers in a major worldwide breach. The data, held in Google cache, includes credit card numbers, CVVs, expiry dates, names and addresses. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of e-commerce sites that have become victims of the breach. They include clothing, science, health, sports and photo imaging stores. The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone."

Cashless Society

[Anenome]

It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society. That is, we will have to have solved this problem, by and large, of card theft and purchase fraud.

I know that the card companies have been working on a method of reducing fraud by doing something like linking your card to your phone and texting you for verification when they detect suspicious activity. Or perhaps requiring you to send your picture back to them or something as a verification.

The person who can create a secondary verification system like that will make a lot of money by solving the great problem that is card-fraud.

Re:Cashless Society

[zoney_ie]

Cashless society gives control to others. OK cash is under the control of others, but not so much or in the same way.

People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).

I for one sincerely hope we never have a cashless society.

Re:Cashless Society

[gravos]

Cashless is old hat. What we really need is a cacheless society.

Shoot the messenger!

[phayes]

It's not a problem with the idiot sites that let unprotected critical information out on a public accessible net and in addition omitted to place a well placed robots.txt, no...

IT'S GOOGLE'S FAULT!!!

Re:Shoot the messenger!

[sakdoctor]

Google should take SOME blame.

I held a robots.txt poster up at my window and google streetmap still photographed it.

er what

[Idimmu+Xul]

How is putting all your customer's credit card information online so it is publicly available, and crawlable, Google's fault? What is the known issue? People are stupid?

Re:I hardly think there's an issue with Google.

[Sockatume]

From the sounds of things, I reckon the gateway was creating a web page for every transaction that included the card details, and those pages were not only unsecured and publicly viewable but indexable. They probably auto-deleted the pages after the transaction was completed but obviously not quick enough. GCache? It's probably all in the internet archive at this stage. It's not a Google issue, it's staggering security error on the part of the gateway that every internet crawler saw. No wonder the gateway's defunct.

Misplacing blame on google

[Confuse+Ed]

From both the article and the summary re:

The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone

This makes it sound like the issue is with google's search engine and makes light of the real issue which is that at some point this information was published for all the world to see (or search engines to index) and anyone to cache (or write-down, or memorize).

Insisting on search engines removing removing this information from their indexes and remove it from their caches is just sweeping the problem under the rug : you or I taking a quick peek on the internet to see if our credit-card infomation has been published anywhere would get a false sense of security if the search engines pretended it wasn't there and that security breaches had never happened.

*tin-foil-hat-time* It seems analogous to re-writing history books to cover up prior misdeeds.

Re:Internet Finance

Yes, but more frequently the sales people on the end of the phone are using the same web-based system as is on the internet. I even went into an electrical store the other day and the customer service chap went onto a website to check stock.

Just because you're not buying over the internet, doesn't mean there isn't a computer system somewhere storing details you didn't expect in a place you didn't expect...

Re:Internet Finance

[gmack]

But much easier for someone to simply make a copy of the details. I find that my credit card info is treated much more carelessly during card present transactions. Credit card is printed on a bill. Where does the business owner keep their copy? Who all can see it? I've even had my card number written on the top of my order. In some of the places I've done tech support I've seen sheets laying around with credit card numbers. It's nice to know that even the janitor can steal my credit card info.

Also larger retail stores feed your numbers into "complex automated software". Think TG max who was a huge source of stolen credit cards and guess what? As of last summer they still hadn't bothered to secure anything.

I make a ton of transactions online and only once have I had fraudulent transactions on my credit card. That once was the local pizza place