US payments processor CardSystems Solutions has agreed to settle federal charges that it failed to protect the financial data of millions of consumers following a security breach last year that exposed more than 40 million credit cards to hackers.
The US Federal Trade Commission (FTC) says the breach, which occured in May last year, is "the largest known compromise of financial data to date" and "led to millions of dollars in fraudulent purchases".
Inder the terms of the settlement, CardSystems must implement a stricter security programme and obtain audits by an independent third-party security professional every other year for 20 years.
CardSystems Solutions, which is now owned by Pay By Touch, failed to take appropriate security measures to protect the sensitive information of tens of millions of consumers and faces potential liability for millions of dollars in private litigation for losses related to the breach.
The firm said in June last year that it has identified a potential security incident that occured in May, which it reported to the FBI. But chief executive of CardSystems, John Perry, later told reporters that the company should not have been retaining the records that were breached.
The FTC says CardSystems created unnecessary risks to the information by storing it and failed to ensure that its network was secure from attacks. The company did not use strong passwords to prevent a hacker from gaining access to personal data stored on its computer network, says the FTC, and did not have security measures in place to limit access between computers on its network and between its computers and the Internet. The firm also failed to employ sufficient measures to detect unauthorised access to personal data or to conduct security investigations.
"CardSystems kept information it had no reason to keep and then stored it in a way that put consumers' financial information at risk," says Deborah Platt Majoras, Chairman of the FTC. "Any company that keeps sensitive consumer information must take steps to ensure that the data is held in a secure manner."
Last month US credit data firm ChoicePoint was made to pay $15 million to settle charges that it failed to protect customers' financial data following a data breach where a gang of criminals posing as businessmen managed to gain access to around 163,000 personal records.