The $9 Million WorldPay Hack in 2008: A Case Study in Cybercrime and Payment Systems

The cyber incident at Royal Bank of Scotland’s (RBS) Worldpay in November 2008 was a complex and sophisticated attack that resulted in the theft of $9 million dollars from ATMs in 49 cities around the world. The incident, which affected thousands of businesses that use Worldpay’s payment processing services, highlights the vulnerability of payment systems and the need for robust security measures to protect against hacking and fraud.

The incident began when the hackers exploited a vulnerability in the network of RBS Worldpay, a subsidiary of the Royal Bank of Scotland that handles payroll and other payment-processing transactions for companies around the world. The attackers were able to gain access to a database containing the account numbers and personal identification numbers (PINs) of payroll debit cards that the company’s customers give to their employees in lieu of live paychecks or direct deposits.

Once inside the RBS Worldpay network, the hackers, led by a man identified only as “Hacker 3”, allegedly gained access to a database containing the account numbers and PINs of payroll debit cards. The attackers were able to get both the debit card account numbers and the PINs associated with those accounts. It’s unclear whether the account numbers and PINs were stored together.

The hackers then used this information to create clones of the debit cards and distributed them to a worldwide network of “cashers” in more than 280 cities. The cashers then used the cloned cards to withdraw money from ATMs in a coordinated attack that took place within a span of 12 hours.

The incident, which was investigated by the Federal Bureau of Investigation (FBI), illustrates the level of organization and sophistication involved in ATM and payment-card fraud, as well as the difficulty banks face in guarding against these schemes. The attack also highlights the need for strong encryption and security measures to protect sensitive information and prevent unauthorized access.

In the wake of the incident, Worldpay has implemented a number of security measures to protect against future attacks, including enhanced encryption and security protocols, and improved monitoring and detection capabilities. The company has also taken steps to improve its incident response and recovery procedures to minimize the impact of future incidents.

It is worth mentioning that, Worldpay, Inc. was an American payment processing company and technology provider. In June 2019 it was acquired and merged into Fidelity National Information Services Ltd (FIS). Before its acquisition, it was headquartered in the greater Cincinnati, Ohio area. Worldpay (formerly Vantiv), was the largest U.S. merchant acquirer ranked by general-purpose transaction volume.

The company provides payment and technology services to merchants and financial institutions in the U.S. and processes more than 20.1 billion payment transactions and approximately $726 billion in volume annually. As of 2014, the predecessor company, Vantiv, supported approximately 400,000 merchant locations and more than 17,000 automated teller machines (ATMs) in 46 states and eight countries.

The company’s merchant base includes customers in vertical markets such as retail, restaurant, government, e-commerce, supermarket, drug store, business-to-business, and consumer services. Its financial institution base includes a diverse set of financial institutions, including regional banks, community banks, credit unions, and regional personal identification number (PIN) debit networks.

This cyber-incident is a reminder for Worldpay, and all payment processing companies, to continuously review and improve their security measures to protect sensitive information and prevent unauthorized access. It also serves as a warning for companies to be aware of the potential risks and to have an incident response and recovery procedures in place to minimize the impact of future incidents.


by

Skip to content