Hacker Hits RBS WorldPay Systems Database



Romanian hacker says he discovered a SQL injection flaw on a WorldPay application, but RBS says no merchant or cardholder data was compromised



By Kelly Jackson Higgins | DarkReading

A Romanian hacker well-known for discovering SQL injection vulnerabilities in high-profile Websites has struck again -- this time on RBS WorldPay's site, where he says he hit the jackpot, the company's database.



The hacker, who goes by "Unu," says he accessed RBS WorldPay's database via a SQL injection flaw in one of its Web applications. RBS WorldPay maintains Unu accessed a test database that didn't carry any live data, and that no merchant or cardholder data accounts were compromised. The company has since taken down the pages.



Unu says the company's response to his email warning of the vulnerability, as well as other security problems, was "unprofessional" and "confused."

Continue Dark Reading



Bonus Coverage!

RBS WorldPay downplays database hack reports

Updated RBS WorldPay and a hacker are at loggerheads over the seriousness of a supposed breach on websites run by the payment processing firm.



Security shortcomings - since blocked - on RBS WorldPay website exposed confidential information, including admin passwords and the contact details of partners, according to blog posts by Romanian hacker Unu.

The grey-hat hacker previously exposed similar problems on the websites of the UK parliament and HSBC France, among many others. As before he published screenshots to back up his latest claims.


RBS WorldPay initially responded to our inquiries by saying that the reported SQL injection attacks mounted by Unu were thrown against test websites. All the dummy data involved was fictitious and in no way confidential, so there was no breach...



Editor's Note: You may or may not remember that RBS WorldPay previously had 1.5 million cards hacked.  Here's a refresher provided by DataLossdb.com















1.5 million credit card records compromised via hack
Records 1,500,000
Record Types CCN SSN
Breach Type Hack
Source Unknown
Organization RBS Worldpay
Other Organizations None
Lawsuit? YES
Data Recovered? NO/UNKNOWN
Arrest? NO/UNKNOWN
Submitted By: securityninja

TIMELINE

















DateEvent
2008-11-10 Incident Occured
None. Add Data Incident Discovered By Organization
2008-12-23 Organization Reports Incident
2008-12-23 Organization Mails Notifications
None. Add Data Records Recovered
2009-02-18 Lawsuit Filed
None. Add Data Arrest Made

SIMILAR INCIDENTS






recordsdateorganizations
206,000 2005-12-28 Marriott International
679 2007-05-29 Mytreo.net
55,000 2006-01-08 Kerzner International Bahamas Limited, Atlantis

MAP OF INCIDENT LOCATION

Map
Satellite
Hybrid
Address: United States

Have a better address for this incident? Suggest it!
suggest a new reference

REFERENCES



Posted by John B. Frank Monday, September 14, 2009

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers