Shostack + Friends Blog Archive


Nations Regions Bank, 100,000 credit cards, breach at unnamed(!) processor


Regions Bank is canceling the credit cards of 100,000 of its customers in 15 states — including Indiana — saying a separate company put their credit information at risk.
Regions said the security breach involves a company that processes credit and debit cards nationwide.
The bank, which says it was not responsible for the problem, will issue new credit cards to its customers soon, Call 6 for Help’s Rafael Sanchez reported Monday.
“Many times when this happens, there is no impact whatsoever, but we just decided to take the extra precaution,” said John Kinman, Regions Bank senior vice president.
Information on how the breach happened and the extent of the risk wasn’t known, Sanchez reported.
The credit-card processing company works for other banks, so it is possible that other banks will take the type of action that Regions is taking, Sanchez reported.

I am more convinced than ever that my prediction of a major suit against a processor will pan out. Regions Bank isn’t exactly Chase or BofA, size-wise, and they had 100K cards exposed.
Neat how the bank VP says the precaution is “extra”, while the News guy says the risk is unknown. Looks to me like the banker has already put an upper bound on it (at least until a Russian web site gets into the act).
Update 2/10/2006: Error in bank name corrected. My apologies. [cw]

2 comments on "Nations Regions Bank, 100,000 credit cards, breach at unnamed(!) processor"

  • Chris,
    You wrote:
    “. . . I am more convinced than ever that my prediction of a major suit against a processor will pan out . . .”
    Give me some background and links to read. I keep track of your coverage on breaches, but I’d like more of your insight on what you believe will precipitate “the major suit”. Also, given Adam’s recent series on “Disclosure” (at least five posts back to the BofA post on 1/21/2006), how do you (or Adam) assess the disclosure in this case?
    It is amazing that the unnamed processor remains unnamed (or do I misunderstand?). I think the risk to customers at this bank has not been reduced, i.e. card replacement is ineffective. How does one even go about measuring whether the current action (or inaction) by the bank is acceptable to customers if the risk is unknown? Is customer data adjacent to the CC#, i.e. SS#, name, address, etc. (still) in the wild from the breach? Card replacement would then only be a token gesture that serves no real purpose to reduce the customer’s position of risk. This of course is also to say nothing of any other risk to any other banks that use this processor and their respective customer bases.
    As I’ve said before (and just mentioned it on my blog) you guys do an outstanding job at getting timely and accurate information and presenting it for easy consumption.
    You have my gratitude for my increased awareness.

  • Chris Walsh says:

    Thanks for the kind words. I will attempt to cook up a post that answers your questions. It may take a few days. As you probably have noticed, my posts tend to be short — not much analysis, just some facts and a reaction. This one will be different.

Comments are closed.