(801) 288-8835
Newsroom

Finland: Hackers Get Data on 10's of Thousands of Payment Cards

February 19, 2010 by YLE, Finland


Note from Nick: This story highlights the problems that are plaguing our global marketplace these days. Just because it happened in Finland doesn't mean that U.S. cardholders were not among those 10,000 victimes, or that breaches don't happen on a daily basis in the U.S. If your card company or bank does not offer immediate email or text message alerts whenever your card is used you should call your card issuer and demand it, and consider other options. It's the only way to protect yourself right now.

Helsinki police are investigating a computer system intrusion that gave hackers access to information about tens of thousands of different types of credit and bank cards. So far, the information for only a few cards has been exploited by the criminals.

Altogether, the hackers accessed the numbers of over 100,000 payment cards from the poorly secured system of a Helsinki business. Of those, about 10,000 also included all card data. Since the system break-in the business has replaced its system.

Police have declined to identify the business or what sector it operates in.

Hackers accessed the old system on several different occasions in January.

"Card information covering several years was stored on a server. The security breach, which originated abroad, targeted this server and they were able to download large amounts of data," says Inspector Jukkapekka Risu.

"The data accessed is about all types of cards. The cards themselves were not compromised, but information about transactions in which the cards were used came into the hands of the hackers because of deficiencies in the storage system," explains Henry Kylänlahti of the card payment company Luottokunta.

Luottokunta discovered the breach in January during a routine security check. So far, there is no indication of widespread exploitation of the data gathered by the hackers.

Copies have been made of a few individual cards that have subsequently been used in various parts of the world. Cardholders are not financially responsible for this criminal misuse.

On the basis of computer logs, hackers accessed the system from abroad, with IP addresses pointing to the US and Romania.

"The actual location could be anywhere," admits Inspector Risu.

If the card details have been compromised, card issuers will contact the cardholder about cancellation and replacement.

The case under investigation is the most extensive of its kind ever in Finland. Up to now similar cases have involved no more than a few hundred cards.