During massive attacks on Swedish payment systems in 2005, tens of thousands of credit card numbers were stolen, leading to the loss of millions of Swedish kronor. But until now, banks and credit card companies have covered up the size of the losses. Customers have been refunded quietly and the fraud investigation is being kept under wraps.
The first indication of the thefts came in the autumn of 2005, when the Swedish subsidiary of Pizza Hut was contacted by the security department of Nordea, one of Sweden’s largest banks. Pizza Hut was told that Nordea’s security division had traced stolen credit card numbers to Pizza Hut’s electronic payment system. As a result, some hundreds of credit card numbers were blacklisted. But this turned out to be only the tip of the iceberg.
Reporting by Computer Sweden has revealed that this was actually one of the biggest IT frauds in Swedish history. By cross-checking information, Computer Sweden learned that more than 24,000 credit card numbers were stolen from the electronic payment systems of Swedish companies. Some card numbers were from corporate cards with very high credit limits. All major Swedish banks were attacked. So were other Europeans banks that have issued credit cards used in Sweden.
Information from the European office of Visa shows that 8 million Swedish kronor (US$1.1 million) has been paid to Visa customers that were victims of the fraud. The total cost for compensating customers of all the affected credit card companies has been much higher.
Neither Swedish banks, Visa or MasterCard, have made information about the extent of the fraud public. Banks have quietly compensated customers for their losses and replaced cards whose numbers were stolen, but without saying how the fraud was carried out or the number of cards that have been replaced.
Swedbank confirms that “several thousand” of their credit card numbers were stolen during the attacks. Nordea says 570 card numbers were used in fraud incidents, but could not say how many card numbers were stolen. The bank SEB says it identified “a couple of hundred” stolen credit card numbers.
Swedish police took part in the early investigation, but today it is being directed by Visa and MasterCard. They have hired the British security company One-sec to investigate the thefts.
“The big question is if it was an outside or an inside job. That was never determined,” said a policeman formerly involved in the case, who asked not to be identified.
It remains unclear how the fraud was perpetrated, but one common factor for all the companies that suffered losses is that they used the same payment system providers. In the spring of 2006, Swedish online payment service providers 3cint and Micros, and also IT services company TXL, were investigated by a group of security experts from One-sec, flown in to Sweden by Visa.
All of the companies investigated that have talked to Computer Sweden say they were, in effect, excluded from the investigation. The were given summary information about data intrusions but nothing was said about the extent of the fraud.
“They were very secretive. They basically didn’t say anything. I don’t even know if it was a hacker job or an inside job,” said an employee at one of the companies attacked.
The first time Visa mentioned the fraud was in an internal report on payment security, published almost a year after the investigations began.
Paul Ravenscroft, press officer at the European office of Visa, confirmed that his company is still investigating the attacks. He declined to say whether the investigation has reached any conclusions. “I doubt that we will say anything about this” he said. “We do not comment on ongoing investigations.”
MasterCard confirmed that card numbers were lost during the attacks and that the company has been involved in the investigation. But it will not reveal how many card numbers were stolen. “It’s our policy not to reveal such details,” said Mats Taraldsson, deputy general manager of MasterCard in the Nordic region.