The identifying number that was used in the so-called Compromised Account Management System alert issued by Visa appeared to suggest a new breach, because it was different from those used in previous CAMS notices, Bolling said. It was his understanding, he added, that CAMS alerts related to a previous breach would use the same identifier as the original notifications.
Almost 50 percent of the credit and debit cards issued by the ACU have been affected between the Heartland breach and the compromises detailed by Visa in the latest CAMS alert, Bolling said, without disclosing the number of compromised cards.
The Pennsylvania Credit Union Association also issued an advisory, dated February 13, in which it described the recent alerts from Visa and MasterCard as being related to a new breach. "As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor," the PCUA said. The advisory appears to have since been removed from the association's Web site, but a cached version can be found via the Google search engine.
An advisory posted by the Tuscaloosa VA Federal Credit Union also indicated that "another" payment processor had been breached and said that the compromise involved so-called card-not-present transactions, such as those made online or via the phone. Tuscaloosa VA noted that the "window of exposure" provided by both Visa and MasterCard was from February 2008 to this January. And like the PCUA, the credit union said that because the affected payment processor had yet to publicly announce the breach, Visa and MasterCard were unable to identify it.
Heartland has yet to disclose the scope of the breach in its systems, saying that it still doesn't know how many card numbers were compromised. The company, which processes more than 100 million transactions per month, also has yet to specify when exactly the system intrusion took place, beyond saying that malware was operational on its systems "during part of 2008."
RBS WorldPay, the payment processing division of The Royal Bank of Scotland Group, disclosed December 23 that its systems had been breached by unknown intruders, resulting in the compromise of personal information belonging to about 1.5 million owners of prepaid payroll and gift cards (download PDF). The compromised information included the Social Security numbers of 1.1 million people, according to the company, which said it had discovered the breach in early November.