In a breach incident that illustrates how long a company can do business without knowing fraudsters are potentially stealing its card data, Charge Anywhere LLC informed its merchants it has found and shut down malware that initially entered its network five years ago.
The South Plainfield, N.J.-based payments gateway software provider notified its merchants Dec. 9 on its website, noting that recent complaints of fraudulent charges triggered an investigation that revealed the malware had actually infiltrated the payments network in November of 2009.
But only files containing "segments of network traffic" from Aug. 17 through Sept. 24 of this year were identified as compromised, Charge Anywhere said. The stolen data may include cardholder names, account numbers, expiration dates and verification codes, the company said.
Though those were the only files the company's investigation revealed as affected, Charge Anywhere said the malware, which went undetected by anti-virus protections, had the ability to capture card data for the past five years.
Charge Anywhere provides the software that routes electronic payments from a merchant point of sale to the merchant processor. The company is encouraging consumers to check their account statements carefully for any unauthorized activity.
The breach did not affect any system or devices at the merchant locations, nor that of any ISO, processor or other service providers, Charge Anywhere said.
Charge Anywhere has not determined the number of card accounts potentially affected by this breach. The company did not respond to a PaymentsSource request to comment beyond the published statement.
The breach represents "more bad news for the payments industry" and leaves a fear that many other companies could have malware infecting their networks for a long period of time without knowing it, said Al Pascual, senior analyst and fraud expert for Javelin Strategy & Research.
"If it was malware that antivirus protection hadn't seen before, it makes it a little more understandable as to why it was in the network for so long," Pascual said. "If it just sat in there dormant this whole time, the company would have a hard time detecting it."
However, Charge Anywhere's explanation makes it "hard to believe that a criminal could have a foothold in a system for five years and design to only just now start taking card data," Pascual added.