Three law firms filed a class-action lawsuit against payment processor RBS Worldpay this week, following reports that an intrusion into the company's network resulted in the brazen theft of $9 million from ATMs in 49 cities worldwide.
On November 8, low-level thieves — known as "cashers" — descended on more than 130 ATMs in Atlanta, Chicago, New York, Montreal, Moscow, Hong Kong and 43 other cities and depleted 100 accounts of about $9 million, Fox News reported this week. At the same time, online criminals lifted the restrictions on withdrawals that would have limited the losses to $500 per card, the report stated.
RBS Worldpay, the U.S. payment processing arm of the Royal Bank of Scotland, learned two days later that the financial information used in the theft was stolen from its servers. Not until December 23, two days before Christmas, did the company notify its customers that the personal and financial details of 1.5 million cardholders and the social security numbers of 1.1 million workers had been compromised.
"RBS was intimately familiar with industry-wide duties and standards regarding data security," a copy of the lawsuit obtained by SecurityFocus states. "Ironically, as part of its business, RBS offers data breach protection services to its merchant clients."
The suit follows other legal actions filed this year against insecure payment processors. Last week, a Pennsylvania law firm filed a lawsuit against payment processor Heartland Payment Systems, following a major intrusion that tapped into the company's network, which processes approximately 100 million payment transactions a month.
The lawsuit could potentially make public details about how attackers gained access to the processors' networks as well as the size of the thieves' data haul. Two years ago, following the disclosure of a breach of retail giant TJX, numerous lawsuits were filed on behalf of banks and consumers. Evidence presented in one lawsuit revealed that the number of accounts exposed by the compromise was double -- nearly 100 million -- what had publicly been stated.
The lawsuit against RBS Worldpay involves law firms in Pennsylvania, Georgia and Washington D.C. The lawsuit combines earlier individual suits filed by the firms on behalf of their clients.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos