CHARGE Anywhere, a New Jersey-based developer of payment gateway and mobile payment applications, on Tuesday disclosed that it had been breached and that hackers had access to transactions leaving its network, perhaps going back as far as 2009.
Most of the traffic was encrypted, the company said in its disclosure statement, but some plain text data was stolen between Aug. 17 and Sept. 22. The number of records accessed or stolen was not disclosed.
“The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic,” CHARGE Anywhere’s statement read. “Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.”
CHARGE Anywhere said the malware has been removed from its network since it was discovered Sept. 22. Evidence of network capture exists, they said, for traffic segments between Aug. 17 and Sept.22, but it’s likely this capability was available to the hackers dating back to Nov. 5, 2009.
The payment authorization requests, CHARGE Anywhere said, may include cardholder name, account number, expiration date and verification code.
“CHARGE Anywhere commenced the investigation that uncovered and shut down the attack after being asked to investigate fraudulent charges that appeared on cards that had been legitimately used at certain merchants,” the company said. “The malware was immediately removed and we engaged a leading computer security firm to investigate how the malware was used and work with us to continue to enhance our network security measures.”
The company’s payment gateways send traffic from point-of-sale terminals and systems to payment processors. Merchant and processor systems, however, were not breached, the company said, adding that it is continuing to route merchant transactions.
“We have also been working with the credit card companies and processors to provide them with a list of merchants and the account numbers for cards used during the period at issue so that the banks that issued those cards can be alerted,” CHARGE Anywhere said. “When banks receive these alerts, they can conduct heightened monitoring of transactions to detect and prevent unauthorized charges.”
The company also set up a page where consumers can search for merchants by name and location to determine if they were affected by the breach.
Retailer security has been headline news since the Target breach a year ago. Security experts and government entities have issued warnings about malware targeting point-of-sale systems and the need to encrypt data. Small retailers and hospitality providers are particularly under the gun because they’re under-resourced and rely on vendors for security. Even large retailers, such as Target, have suffered. Last week, a Minnesota District Court judge ruled Target negligent in its breach, allowing a litany of class-action lawsuits from consumers and financial organizations to proceed.