Bank sues auditor over 2004 data breach

3 June 2009

A US bank is suing an auditor claiming it was negligent in certifying that a payment processing company was compliant with industry standards on data protection shortly before a breach that resulted in millions of credit cards being compromised.

In its complaint, Utah-based Merrick Bank says it lost $16 million in fraud, fines and other costs directly associated with the breach at CardSystems, which saw hackers steal 263,000 card numbers and compromise a further 40 million, Wired reports.

The bank is suing auditor Savvis, which less than a year before the data breach had said CardSystems was in compliance with the Cardholder Information Security Program (CISP), the industry standard that preceded the Payment Card Industry Data Security Standard.

However, Wired said it was later found that CardSystems had retained card data and stored it in an unencrypted format on its system, both of which contravene the CISP regulation.

Merrick therefore contests that Savvis' indication that CardSystems was in compliance with CISP was "false and misleading".

The technology magazine said the lawsuit is the first case where an auditor has been sued for certifying a firm later found to be in breach of industry regulations

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development