Western Union Site Back Up After Breach
- 16 September, 2000 12:01
Western Union Holdings Inc.'s Web site was out of commission for five days this week after a malicious hacker broke into the site and apparently copied the credit-card or debit-card numbers of about 15,700 Western Union customers.
Peter Ziverts, a spokesman at WesternUnion.com in Englewood, Colo., said getting the Web site back online took two days longer than company officials originally expected after discovering the security breach during a scheduled audit of site performance on Sept. 8.
Before the site went back online last Wednesday, he added, WesternUnion.com's developers fortified the site's security in an effort to ensure that customer data doesn't get compromised again.
Western Union said the security breach that opened up access to the credit-card data was caused by "human error" during routine maintenance and performance management testing work on the Web site, which had been upgraded in June to allow users to send money over the Internet. A key file apparently was left unprotected after the work was done, creating a security hole that could be used to enter the site.
After the breach was discovered, Western Union officials immediately shut down the Web site and began contacting customers who had transferred money online to notify them of the incident. It also informed the National Bankcard Association Inc. in San Diego in an attempt to circumvent any fraudulent use of the stolen card numbers. Ziverts said no illegal attempts to buy goods had been reported thus far.
Elias Levy, CTO at San Mateo, Calif-based Securityfocus.com, an information security portal that reviews security breaches, said Western Union hadn't provided enough information to determine what type of human error was responsible for the leak of credit-card information. But Levy said a breach while the system was in maintenance mode suggests a configuration problem.
More Security Needed
Whoever broke into the Western Union site may not have used the same techniques used to steal credit-card information from other large sites that maintain credit-card databases, but the number of such events suggests there is a need to do more to secure such systems, said Levy.
Levy said one possible solution to the problem, issuing one-time use credit cards, was recently suggested by American Express Co. He said that would be a better solution than the proposed Secure Electronic Transaction Standard (SET) promoted by credit-card companies, which would set standards for encrypting and authenticating transaction data.
"One-time credit cards would be easier to implement and would not change the way consumers and merchants do business," said Levy. "It was way too complex for consumers to go out and get certification from banks and download new software."