We've all seen companies duck questions about a data breach by claiming that they'd love to talk, but they're cooperating with an ongoing criminal investigation, and thus are sworn to secrecy.
At the Citibank branch at 65th Street and Madison Avenue in New York City, a bank official caught a man in the act of allegedly looting customer accounts in May. Some $180,000 had been stolen from Upper East Side ATMs in the preceding three days.
Bryan Derballa/Wired.comBut Cardtronics, which owns the 7-Eleven ATMs implicated in a massive leak of PIN codes and millions of dollars in lost Citibank cash, treads new ground with this press release, which wields the exact opposite logic: They aren't cooperating in a criminal investigation, and therefore have nothing to say.
To recap what we know about the late-2007 PIN theft: Hackers broke into a server that processes transactions from the Citibank-branded ATMs at
7-Eleven convenience stores. The hackers installed some kind of software on the server, and made off with enough account numbers and
PINs to steal at least two million dollars from Citibank accounts.
As of last month, Citibank was still revoking cards belonging to compromised customers. Ten people have been arrested so far in the case -- five for allegedly making fraudulent withdrawals, three more for conspiracy, one for obstruction of justice, and one for money laundering. Two of them named a Russian cybercrook as the kingpin.
Citibank won't say how many customers had their information stolen, but blames an unnamed third-party transaction processor for the breach. That's where Houston-based Cardtronics seems to enter the picture: The company owns all the U.S. 7-Eleven ATMs, and runs its own transaction processing operation for 2,000 of the machines, the so-called "Vcom," for "virtual commerce," kiosks.
Transaction processing for another 3,500 basic ATMs is outsourced to a company called Fiserv, but Fiserv flatly says that its network wasn't breached. Cardtronics' statement doesn't seem to go that far.
While it sheds no real light on the situation, the two-paragraph press release does raise some new questions. If the 7-Eleven ATM network really was in compliance with industry security standards, and the PINs were stolen anyway, are those standards good enough?
Cardtronics purchased the 7-Eleven ATMs last July. But at the time of the breach at least some of the Vcom machines were still sending transactions through a 7-Eleven server -- another potential access point. 7-Eleven, like Cardtronics, hasn't returned repeated phone calls on the breach.
Update:
A 7-Eleven spokeswoman just sent me a statement. It seems they'd love to talk, but there's this ongoing criminal investigation, you see, and their hands are tied ...
See Also:
