Charge Anywhere LLC, a mobile payments provider, today disclosed that malicious software planted on its networks may have jeopardized credit card data from transactions the company handled between November 2009 and September 2014.
In a statement released today, the South Plainfield, N.J. electronic payment provider said it launched investigation after receiving complaints about fraudulent charges on cards that had been legitimately used at certain merchants. The information stolen includes the customer name, card number, expiration date and verification code.
“The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic,” the company explained. “Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.”
Charge Anywhere said it believes that “only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified,” although the company allowed that the unauthorized person had the ability to capture network traffic as early as November 5, 2009.
The incident is the latest reminder of what happens to businesses that handle credit card data and other sensitive information and yet fail to full encrypt the data as it traverses their network. The company has provided a searchable list of merchants who may have been affected by the breach.