Mobile payment processor hacked

A breach revealed Tuesday has exposed the vulnerabilities of yet another link in the electronic payment process.

Charge Anywhere, a mobile payments company that sends payment data from merchants to payment card processors, said malicious software on its network may have had access to cardholder data for up to five years.

ADVERTISEMENT

“Charge Anywhere’s investigation found malware that had not been previously detected by any antivirus program,” the company said.

Data breaches at companies like Target and Home Depot have highlighted the flaws of point-of-sales systems — essentially the checkout machine. The breach announced Tuesday draws attention to a less publicized security shortcoming of electronic payments.

Not all of the payment information Charge Anywhere transmitted was encrypted, the company said. Hackers were able to infiltrate the encrypted traffic and gain access to the unencrypted traffic.

While the company only found evidence of cyber thieves capturing information from Aug. 17 to Sept. 24 of this year, it acknowledged, “the unauthorized person had the ability to capture network traffic as early as … 2009.”

It’s difficult to know which consumers are potentially affected since Charge Anywhere works with so many partners. The company created a searchable list of merchants that could have been affected.

The proliferation of data breaches over the last 12 months has led to much discussion, but no legislation, on the Hill. 

Lawmakers have considered a number of bills to require basic data security guidelines and data breach notification requirements, but nothing has come close to passing.