On November 8, a co-ordinated attack on 130 ATM machines in 49 cities enabled 'cashers' - low-level operatives probably recruited by higher-level criminals - to take $9m using cloned cards.
The attack happened just two days before the Royal Bank of Scotland subsidiary discovered the data breach, focusing on data from its payroll and open loop giftcard business. The stolen data enabled the criminals to clone the cards. Fraud had been committed on 100 cards, said the company at the time. However, the hackers were able to repeatedly reset the limit on the cards used, so that they could be used to extract large amounts of money in a very short time period. Cashers operated in cities from the US through to Russia and Asia.
Payroll cards can be used just like conventional debit and credit cards, in ATM machines, for point of sale and online purchases, and for paying bills. The cards are pre-loaded with funds by employers as a means of paying employees. The card processor is resetting the PINs on affected cards, although it is worth noting that the chip and PIN technology that would be used to stop physical fraud with the cards by referencing a microchip during a cardholder-present purchase has not yet been widely deployed in the US.
The FBI are trying to find two suspected cashers filmed withdrawing cash in Atlanta.
The breach was discovered almost three months ago, although a letter provided by the company suggests that affected individuals were not notified until six weeks later. The breach could have led to the compromise of 1.5m cardholders' personal information, including 1.1m social security numbers. No identity theft from the breach has yet been discovered, but RBS Worldpay has offered a year's free credit protection to affected parties.
Last month, a class action lawsuit was filed against RBS Worldpay for failing to protect customers' sensitive information.