Hackers Hit Western Union

D E N V E R, Sept. 11, 2000 -- Hackers stole credit and debit card informationfrom 15,700 online customers of Western Union, whose Web site wasunprotected while undergoing maintenance.

By Sunday evening, no cases of credit card fraud had beenreported to the Englewood, Colo.-based company, and only customerswho used the Web site to transfer money remain at risk, said PeterZiverts, a Western Union spokesman.

The company began notifying customers of the problem on Friday,when the computer attack was first detected. By late Sunday, VisaInternational and MasterCard International Inc. had been contactedso that cardholders’ accounts could be monitored for possiblefraud.

Young Web SiteWestern Union, a unit of Atlanta-based First Data Corp., beganoffering online money transfer services in June, even though anofficial Web site launch was scheduled to take place later thismonth. Ziverts said the launch would likely be delayed.

Western Union would not divulge exactly how much business itconducts online, referring only to its Internet-based moneytransfer service as an “absolutely minuscule” portion of itstotal transactions.

The Web site that was hacked — http://www.westernunion.com — also allows customers to apply for a loan, send messages and locatethe nearest Western Union store. Customers using these serviceswere not affected.

Western Union offers similar services on a separate Web site —http://www.moneyzap.com — and customers using that site also werenot affected, Ziverts said.

Western Union said the problem was caused by human error and notan inherent technical flaw. Ziverts explained that employeesconducting regular maintenance on the company’s computer systemsleft parts of the Web site unprotected, allowing hackers to breakin.

Marc Rotenberg, executive director of the Washington-basedElectronic Privacy Information Center, said the Western Unionsecurity breach reflects the risks to consumers as companies rushto do business on the Internet.

“In the end, what matters to consumers is that the companies towhich they entrust their credit card numbers and personalinformation will be able to safeguard that data,” Rotenberg said.

Disposable Credit Card NumbersLast week, American Express announced it will offer disposablecredit card numbers for safer online shopping, part of a bid toaddress privacy and security issues analysts say have slowed thegrowth of e-commerce.

Western Union said the attack was not an inside job and thecompany has not taken any disciplinary action against itsemployees.

The company and law enforcement were investigating the breach,but Ziverts declined to provide further details about the probe orsay what agencies were involved. The FBI office in Denver would notsay whether it was participating.

Western Union carried out 73 million money transfer transactionsworldwide last year. Most of them are done through agents in storesand other locations, others by phone. Only customers who used theWeb site were affected, the company said.

The company has set up a toll-free number for complaints:1-800-228-6530.