Hackers Hit Western Union

D E N V E R, Sept. 11, 2000 -- Hackers stole credit and debit card information from 15,700 online customers of Western Union, whose Web site was unprotected while undergoing maintenance.

By Sunday evening, no cases of credit card fraud had been reported to the Englewood, Colo.-based company, and only customers who used the Web site to transfer money remain at risk, said Peter Ziverts, a Western Union spokesman.

The company began notifying customers of the problem on Friday, when the computer attack was first detected. By late Sunday, Visa International and MasterCard International Inc. had been contacted so that cardholders’ accounts could be monitored for possible fraud.

Young Web Site Western Union, a unit of Atlanta-based First Data Corp., began offering online money transfer services in June, even though an official Web site launch was scheduled to take place later this month. Ziverts said the launch would likely be delayed.

Western Union would not divulge exactly how much business it conducts online, referring only to its Internet-based money transfer service as an “absolutely minuscule” portion of its total transactions.

The Web site that was hacked — http://www.westernunion.com — also allows customers to apply for a loan, send messages and locate the nearest Western Union store. Customers using these services were not affected.

Western Union offers similar services on a separate Web site — http://www.moneyzap.com — and customers using that site also were not affected, Ziverts said.

Western Union said the problem was caused by human error and not an inherent technical flaw. Ziverts explained that employees conducting regular maintenance on the company’s computer systems left parts of the Web site unprotected, allowing hackers to break in.

Marc Rotenberg, executive director of the Washington-based Electronic Privacy Information Center, said the Western Union security breach reflects the risks to consumers as companies rush to do business on the Internet.

“In the end, what matters to consumers is that the companies to which they entrust their credit card numbers and personal information will be able to safeguard that data,” Rotenberg said.

Disposable Credit Card Numbers Last week, American Express announced it will offer disposable credit card numbers for safer online shopping, part of a bid to address privacy and security issues analysts say have slowed the growth of e-commerce.

Western Union said the attack was not an inside job and the company has not taken any disciplinary action against its employees.

The company and law enforcement were investigating the breach, but Ziverts declined to provide further details about the probe or say what agencies were involved. The FBI office in Denver would not say whether it was participating.

Western Union carried out 73 million money transfer transactions worldwide last year. Most of them are done through agents in stores and other locations, others by phone. Only customers who used the Web site were affected, the company said.

The company has set up a toll-free number for complaints: 1-800-228-6530.