Sunday, January 4, 2009

RBS WorldPay Sweep Hack Under Rug

RBS [Royal Bank of Scotland] WorldPay ( has royally let its users down.

On December 23rd, 2008 they reported that their computer systems had been "improperly accessed by an unauthorized party" - this translates to being hacked. How much do you folks want to bet it was a nice, simple SQLi vulnerability?

Anyway, there is a big press-release here [PDF], but more importantly, let's look at the facts and figures here:
  • Incident happened Novermber 10th, reported December 23rd by my math that's 43 days from incident to disclosure
  • 100 incidents of confirmed fraud - so far
  • 1.5MM cardholders may have had certain personal information compromised
  • 1.1MM (of the above total) may have had their social security numbers accessed
A great quote from Ben Barone, president and CEO of RBS WorldPay, demonstrating the company's utter lack of understanding for the gravity of the situation
"Privacy is important to RBS WorldPay and we regret any inconvenience this may cause affected individuals"
Brilliant. He's sorry this may "inconvenience" some of his customers... and by inconvenience he means this may lead to a complete compromise of your personal financial identity, causing you potentially hundreds of thousands of dollars in damages, litigation, court fees and other costs, not to mention the intense amount of time it takes to clear your good name. As far as privacy being imporant to RBS... what about security? Should that quote read "Security and customer's privacy....blah blah blah"??

See... I still think that big financial corporations just haven't gotten it. Until customers of RBS WorldPay file a massive class-action suit against them for failure to take "necessary and proper" precautions and security measures to secure their information, they and other companies will continue to pull sweep incidents like this under the rug, hoping people don't realize the incredible mess they may have put you in with their ineptitude and carelessness.

Perhaps this turned into a rant... but these sorts of disclosures make me angry. By the way, as of right now (1:33am CST, January 4th, 2009) the company's landing page has no trace of the disclosure, or additional information their press release implies. Need more proof they're trying to bury it?

EDIT: If anyone's curious about RBS WorldPay's security standards... read here. No wonder they were hacked, can anyone find anything but rudimentary SSL as their big "security" feature?


1/5/09 @ 9:20AM CST
Thanks to the anonymous responder for correcting me. RBS does have a reference link to this matter off their page (I was simply looking in the wrong place/site), the correct link is:

In a strange twist of "Be careful what you wish for" it appears now that a firm by the name of Sheller, P.C. has been investigating a possible class-action suit against RBS. I say this is interesting because I mentioned above that someone should litigate this else it disappear into the archives of yesterday without recourse. Source link here:


Anonymous said...

The info is on their home page. Look in the bottom right of the screen under Latest News. It has been there since the info was released.

Anonymous said...

Also the link in your edit goes to not, These are 2 completley different companies as far as this event is concerned, even though both owned by RBS.

Anonymous said...

Even funnier is that they boast of relying on 'MD5' for 'security'.