Payment processor CardSystems has agreed a settlement with the US Federal Trade Commission (FTC) over charges that it failed to protect sensitive information about tens of millions of consumers.
The FTC said failure to take appropriate measures to protect the consumer information was an unfair practice that violated US federal law. The security breach – the largest ever compromise of financial data – resulted in millions of dollars of fraudulent purchases, the FTC said.
Under the terms of the settlement, CardSystems and its successor, Pay By Touch Solutions, must implement a comprehensive information security programme, including administrative, technical and physical safeguards, which must be independently audited every two years for the next two decades.
The FTC had alleged that CardSystems created unnecessary risks to the information by storing it, did not adequately assess the vulnerability of its computer network to commonly known or reasonably foreseeable attacks and did not implement simple, low-cost, and readily available defences.
The company also failed to use strong passwords to prevent hackers taking control of its computers and getting access to personal information stored on the network. It did not use sufficient measures to detect unauthorised access to personal information or to conduct security investigations, the FTC charged.
CardSystems faces potential liability “in the millions of dollars” under bank procedures and in private legal action for losses related to the security breach, the FTC said.
Last year a US court ordered CardSystems and its co-defendants to keep all information and evidence relating to the security breach, in a class action brought by California credit card holders after hackers broke into the CardSystems computer network.