Brian Krebs is a must-follow on Twitter.  Krebs, an independent investigative journalist who writes about computer crime for his website, and previously wrote for The Washington Post from 1995 to 2009, tweeted this over the weekend.

He went on to tweet that, of the 25, two of the companies were payment who were pwned were payment card processors.   Depending on who the payment card processors are, and how much data was stolen, this has the potential to be a very significant breach.

What is a ColdFusion Exploit?

The payment card processors were reportedly hacked using a ColdFusion exploit.  ColdFusion is an Adobe product, which is used to develop web applications.  It's used by a wide variety of private companies and government agencies.  It has 61 known vulnerabilities, which potentially allow hackers to do a number of things, including  a "zero-day" attack to steal passwords and credit card information, or a wide ranging attack on U.S. Government sites in November 2013 by hacker group Anonymous.

Who are the Payment Card Payment Card Processors?

As of this post, it is not clear who the processors are who have been hacked.  Generally speaking, payment card processors perform a vital role in every card transaction, by acting as an intermediary between merchants (like Target) and the merchants' banks.  The largest payment card processors, such as Global Payments, Inc., Heartland Payment Systems, and Total Payment Systems, handle card transactions for hundreds of thousands of merchants, processing billions of dollars of transactions each year.  Back in 2012, Global Payments was hacked.  At the time, Global was the 7th largest, and handled $120.6 billion in credit card volume. The hack made waives in the industry.  The Global breach was smaller than originally feared, but the costs to Global were over $84 million dollars.  The stock plunged, and trading had to be halted on the day the news of the hack broke.

The Fallout

It will be interesting what the immediate fallout will be.  On Wall Street, publicly traded payment processors will likely take a hit.  Meanwhile, in Washington, Attorney General Eric Holder called on congress last week to enact federal data breach legislation.  Currently, there is no federal standard, and companies who experience a data breach must navigate a complex and varied patchwork of state regulations.  Perhaps this breach will build momentum for a federal standard.  Regardless, this story is one to keep an eye on as the week progresses.

For further information visit Waller's Banking Law Blog

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.