Hacker Hits RBS WorldPay Systems Database

Hacker Hits RBS WorldPay Systems Database



Romanian hacker says he discovered a SQL injection flaw on a WorldPay application, but RBS says no merchant or cardholder data was compromised



By Kelly Jackson Higgins | DarkReading

A Romanian hacker well-known for discovering SQL injection vulnerabilities in high-profile Websites has struck again -- this time on RBS WorldPay's site, where he says he hit the jackpot, the company's database.



The hacker, who goes by "Unu," says he accessed RBS WorldPay's database via a SQL injection flaw in one of its Web applications. RBS WorldPay maintains Unu accessed a test database that didn't carry any live data, and that no merchant or cardholder data accounts were compromised. The company has since taken down the pages.



Unu says the company's response to his email warning of the vulnerability, as well as other security problems, was "unprofessional" and "confused."

Continue Dark Reading



Bonus Coverage!

RBS WorldPay downplays database hack reports

Updated RBS WorldPay and a hacker are at loggerheads over the seriousness of a supposed breach on websites run by the payment processing firm.



Security shortcomings - since blocked - on RBS WorldPay website exposed confidential information, including admin passwords and the contact details of partners, according to blog posts by Romanian hacker Unu.

The grey-hat hacker previously exposed similar problems on the websites of the UK parliament and HSBC France, among many others. As before he published screenshots to back up his latest claims.

RBS WorldPay initially responded to our inquiries by saying that the reported SQL injection attacks mounted by Unu were thrown against test websites. All the dummy data involved was fictitious and in no way confidential, so there was no breach...



Editor's Note: You may or may not remember that RBS WorldPay previously had 1.5 million cards hacked.  Here's a refresher provided by DataLossdb.com

1.5 million credit card records compromised via hack
Records	1,500,000
Record Types	CCN SSN
Breach Type	Hack
Source	Unknown
Organization	RBS Worldpay
Other Organizations	None
Lawsuit?	YES
Data Recovered?	NO/UNKNOWN
Arrest?	NO/UNKNOWN
Submitted By:	securityninja

TIMELINE

Date	Event
2008-11-10	Incident Occured
New Timeline Item For Incident Occured Date 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 January February March April May June July August September October November December 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Reference URL Spam Check: (type the code from the image)
None. Add Data	Incident Discovered By Organization
New Timeline Item For Incident Discovered By Organization Date 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 January February March April May June July August September October November December 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Reference URL Spam Check: (type the code from the image)
2008-12-23	Organization Reports Incident
New Timeline Item For Organization Reports Incident Date 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 January February March April May June July August September October November December 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Reference URL Spam Check: (type the code from the image)
2008-12-23	Organization Mails Notifications
New Timeline Item For Organization Mails Notifications Date 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 January February March April May June July August September October November December 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Reference URL Spam Check: (type the code from the image)
None. Add Data	Records Recovered
New Timeline Item For Records Recovered Date 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 January February March April May June July August September October November December 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Reference URL Spam Check: (type the code from the image)
2009-02-18	Lawsuit Filed
New Timeline Item For Lawsuit Filed Date 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 January February March April May June July August September October November December 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Reference URL Spam Check: (type the code from the image)
None. Add Data	Arrest Made
New Timeline Item For Arrest Made Date 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 January February March April May June July August September October November December 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Reference URL Spam Check: (type the code from the image)

SIMILAR INCIDENTS

records	date	organizations
206,000	2005-12-28	Marriott International
679	2007-05-29	Mytreo.net
55,000	2006-01-08	Kerzner International Bahamas Limited, Atlantis

MAP OF INCIDENT LOCATION

Terms of Use

Map

Satellite

Hybrid

Address: United States

Have a better address for this incident? Suggest it!

Suggest New Address

Have a better address for this submission? Suggest it, e.g., "Richmond, VA" or "USA" or "3111 World Dr., Lake Buena Vista, FL 32830"

Address:

Reference URL:

Spam Check:

(type the code from the image)

suggest a new reference

REFERENCES

• http://securityninja.co.uk/blog/?p=112 [archive]


• http://www.rbsworldpay.us/prepaid_info.html [archive]


• http://www.tmcnet.com/usubmit/2008/12/23/3875815.htm [archive]


• http://louisville.bizjournals.com/louisville/othercities/atlanta/stories/2008/12/22/daily24.html [archive]


• http://www.rbslynk.com/prepaid_info.html [archive]


• http://www.ajc.com/video/content/video/?bcpid=1659825399&bclid=1717763711&bctid=5777537001 [archive]


• http://www.rbsworldpay.us/RBS_WorldPay_Press_Release_Dec_23.pdf [archive]


• http://www.foxnews.com/story/0,2933,487184,00.html [archive]


• http://www.bankinfosecurity.com/articles.php?art_id=1213 [archive]


• http://news.scotsman.com/scotland/US-arm-of-RBS-faces.4989997.jp [archive]