Group items tagged

Visa Inc. last week removed breached payment processors Heartland Payment Systems Inc. and RBS WorldPay Inc. from its list of companies that are compliant with the PCI data-security rules. But analysts said the move may be more about protecting Visa itself than about safeguarding payment card data. In a terse statement issued last Friday, Visa said it was removing Heartland and RBS WorldPay from its list of service providers compliant with PCI (download PDF) in response to the recent data breaches disclosed by each company. The decision to delist the two payment processors was based on "compromise event findings," Visa said without elaborating. The company added that it would "consider" putting Heartland and RBS WorldPay back on the compliant list, but only after they are recertified by a third-party assessor. Meanwhile, reports posted by online news site BankInfoSecurity.com and several blogs that follow the payment card industry also cited a March 12 letter from a Visa executive to banks notifying them that Heartland was now "in a probationary period" during which it would have to meet more stringent security requirements than usual. Strictly speaking, Visa's actions mean that merchants can't use either Heartland or RBS WorldPay to process payments if they themselves want to remain compliant with the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS), said Gartner Inc. analyst Avivah Litan.

Heartland Payment Systems Inc., which announced a breach of potentially millions of credit and debit cards last month, said it plans to vigorously defend itself against lawsuits filed as a result of the data breach. In a filing with the Securities and Exchange Commission, Heartland Chairman and CEO Robert Carr acknowledged the claims that cardholders, card issuers, the credit card brands, regulators, and others have asserted, or may assert, against the payment processor as a result of the breach and the impact it could have on the business. Several class action lawsuits have been filed against Heartland, claiming that the payment processor issued belated and inaccurate statements when it announced a security breach of its systems. Carr He said the company could not "reasonably estimate the potential impact of the breach on the day-to-day operations" of the business. "We intend to vigorously defend any such claims and we believe we have meritorious defenses to those claims that have been asserted to date," Carr said. "At this time we do not have information that would enable us to reasonably estimate the amount of losses we might incur in connection with such claims." The Princeton, N.J.-based payment processor announced Jan. 20 that its systems were breached last year when intruders installed malware to pilfer data crossing the company's network. Since then, Sherriff's authorities in Tallahassee, Fla. arrested three suspects for using stolen credit card numbers to make purchases at local Wal-Mart stores. The credit card numbers used by the trio were allegedly stolen from the Heartland processing center in New Jersey. Carr said the company's sales force was doing well despite the obvious challenges caused by the combination of the downturn in the economy and the data security breach. The payment processor's current customer base has responded positively, he said. "In the weeks since our announcement of the breach, we have installed more margin, and have a bit

The Payment Card Industry Data Security Standard (PCI DSS) is ineffective and major payment processing infrastructure improvements are needed to secure credit and debit card transactions, lawmakers said Tuesday. The House Subcommittee on Emerging Threats, Cybersecurity, Science, and Technology, part of the House Committee on Homeland Security, held a hearing in Washington, D.C., on Tuesday to examine the effectiveness of PCI DSS. "The bottom line is that if we care about keeping money out of the hands of terrorists and organized criminals, we have to do more, and we have to do it now," said U.S. Rep. Yvette Clarke (D-N.Y.), who chairs the subcommittee. "The payment card industry and issuing banks need to commit to investing in infrastructure upgrades here in the United States." Clarke called on the industry to implement encryption on its credit and debit card processing networks and said the deployment of chip and PIN technology could significantly reduce the amount of stolen payment data. Chip and PIN technology is used in Asia and Europe. The technology replaces the magnetic strip on the back of a card and adds a four-digit personal identification number (PIN) to confirm a payment.

Two credit-card payment processors are offering to cover merchants' fines and penalties in the event of a data breach. However, the two companies, Heartland Payment Systems and Mercury Payment Systems, have different requirements that must be met before a merchant would qualify for coverage. For Mercury, the retailer would have to prove it was Payment Card Industry Data Security Standard-compliant (PCI DSS) at the time of a breach. "This is an enticement program to get merchants involved in PCI compliance," Jim Mackay, Mercury's vice president of marketing, told SCMagazineUS.com Friday. "Though there are critics who say that PCI does not go far enough, at least it's a step in the right direction."

Exactly one week after the Heartland Payment Systems (HPY) breach was first announced to the public, the first lawsuit has been filed against the payments processor. The class action lawsuit filed Tuesday by Chimicles & Tilellis LLP of Haverford, PA in the U.S. District Court for the District of New Jersey on behalf of Woodbury, MN resident Alicia Cooper, asserts that Heartland "made unreasonably belated and inaccurate statements concerning the breach." The complaint says Heartland does not appear to be offering any credit monitoring services or other relief to consumers affected by the breach. Chimicles & Tilellis' complaint also says in addition to the questionable timing of the announcement of its breach, (Read Heartland Class Action suit PDF) "there are materially misleading statements and omissions in Heartland's public description of the breach and its consequences." Heartland announced the breach in a press release on the same morning of President Barack Obama's inauguration. The law firm says it is suing on behalf of consumers whose sensitive financial information was compromised in the data breach at Heartland. The complaint raises a claim pursuant to the New Jersey Consumer Fraud Act, and asserts causes of action for negligence, breach of implied contract, breach of contracts to which Plaintiffs and Class members were intended third party beneficiaries, breach of fiduciary duty, and negligence. The payments processor did not disclose how many credit card account numbers were compromised as a result of the breach. Heartland is the fifth largest payment processor in the country and handles 100 million transactions per month for more than 250,000 small retailers, gas stations, restaurants and other small and midsized companies. The suit also states that Heartland only became aware of the breach after it was notified of patterns of fraudulent credit card activity by VISA and MasterCard. "Analysts have stated that the fact that Heartland did not detect th

Visa Inc.'s top risk management executive today dismissed what she described as "recent rumblings" about the possible demise of the PCI data security rules as "premature" and "dangerous" to long-term efforts to ensure that credit and debit card data is secure. Speaking at Visa's Global Security Summit in Washington, Ellen Richey, the credit card company's chief enterprise risk officer, insisted that despite recent data breaches at two payment processors, the Payment Card Industry Data Security Standard (PCI DSS) "remains an effective security tool when implemented properly." Richey added that breaches such as the ones at Heartland Payment Systems Inc. and RBS WorldPay Inc. were shaping public opinion and obscuring what otherwise has been "substantial progress" on the security front over the past year. "I'm sure that everyone in this room has read the headlines questioning how an event of this magnitude could still happen today," Richey said, referring to the Heartland breach. "The fact is, it never should have" - and indeed wouldn't have if Heartland had been vigilant about maintaining its PCI compliance, according to Richey. "As we've said before," she continued, "no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach." Pointing to Visa's decision last week to remove both of the breached payment processors from its list of PCI-compliant service providers, Richey said that Heartland would face fines and probationary terms that were proportionate to the still-undisclosed magnitude of the breach. "While this situation is unfortunate, it does not make me question the tools we have at our disposal," she said of the PCI rules.

Heartland Payment Systems CEO discusses breach, previews speech Not a week had passed after the announcement of what some have described as the largest data breach ever, when the CEO of Heartland Payment Systems, Robert Carr, began calling for better industry cooperation and new efforts directed at preventing future breaches. Recently, Carr announced that trials will begin late this summer on an end end-to-end encryption system Heartland is developing with technology partners. It is expected to be the first system of its kind in the U.S. The company is also pushing for an end-to-end encryption standard. At the upcoming Practical Privacy Series in Silicon Valley, Carr will discuss the Heartland breach and the role industry, including privacy professionals, must play to prevent future breaches. Here's a preview: IAPP: Many companies have experienced breaches. What made yours different? Ours was different because we are a processor and had passed six years of PCI audits with no problems found. Yet, within days of the most recent audit, the damage had begun. IAPP: Did you have a chief privacy office or a privacy professional on staff before your breach? Do you now? Ironically, when we learned of the Hannaford's breach, we hired a Chief Security Officer who started just three weeks before the breach began. IAPP: In the era of mandatory breach reporting, what is the trajectory of consumer reaction? As a processor it is difficult to really know this. Our customers are merchants who accept card payments. IAPP: Do you think consumers will become numb to breach notices? I believe that many are numb to so many intrusion notices. IAPP: Are breach notices good public policy? Do the notices provide an incentive for companies to change or improve practices? I don't think so. Nobody wants to get breached and the damage caused by a breach is sufficient reason for most of us to do everything we can to prevent them. IAPP: What has Heartland done differentl

Should individual states mandate that businesses comply with the Payment Card Industry's Data Security Standard (PCI DSS)? The answer is "yes," according to Nevada, which has passed a new law that, as of next year, requires businesses to comply with PCI when collecting or transmitting payment card information. Nevada is the first state to mandate full PCI compliance for businesses. Minnesota in 2007 incorporated only a portion of PCI in its Plastic Card Security Law. According to Nevada's new law, if a data collector doing business in that state accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of PCI DSS, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization. Is it a Game-Changer? As states rush to adopt or strengthen privacy legislation, Nevada's move is seen by some observers as a potential "game-changer." But they question whether states should be in the business of mandating compliance with an industry standard.

"This presentation contains statements of a forward-looking nature which represent our management's beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors, including without limitation, the impact that the significantly unfavorable economic conditions confronting the United States may have on our business, the results and effects the security breach of our processing system may have on us, including the costs and damages we may incur in connection with the claims arising from such breach that have been made and may in the future be made against us, the extent of cardholder information compromised and the possibility that such security breach could cause us to lose customers or make it difficult for us to obtain new customers, the possibility that we may not be successful in developing and implementing an end to end encryption solution, the possibility that if we are successful in developing and implementing an end to end encryption solution it may not prevent future security breaches of our payment processing system, and additional factors that are contained in the Company's Securities and Exchange Commission filings, including but not limited to, the Company's annual report on Form 10- K for the year ended December 31, 2008. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this presentation. Topics / Agenda - The Future of Electronic Payments * What Is The Problem? The Cybercrimes Arms Race * Who Is Heartland Payment Systems? * What Happened and What Has/Will It Cost? * What Did We Do About It and What Are We Doing Now? * Massive Quantity/Quality of Breaches Call for Enhanced Solutions * Our New Solution Called E3 -

Days after Visa seemingly confirmed that a data breach had taken place at a third payment processor, following on the recent breach disclosures by Heartland Payment Systems and RBS WorldPay, the credit card company now is saying that there was no new security incident after all. In actuality, Visa said in a statement issued Friday, alerts that it sent recently to banks and credit unions warning them about a compromise at a payment processor were related to the ongoing investigation of a previously known breach. However, Visa still didn't disclose the identity of the breached company, nor say why it is continuing to keep the name under wraps. Visa said that it had sent lists of credit and debit card numbers found to have been compromised as part of the investigation to financial institutions "so they can take steps to protect consumers." It added that it currently "is risk-scoring all transactions in real-time, helping card issuers better distinguish fraudulent transactions from legitimate ones." Visa's latest statement follows ones issued by both it and MasterCard International earlier this week in response to questions about breach notices that had been posted by several credit unions and banking associations. The notices made it clear that they weren't referring to the system intrusion disclosed by Heartland on January 20 and suggested that a new breach had occurred.

"* To pay all costs tied to administration of settlement * To pay class members' attorney costs Dec 21 (Reuters) - Credit card processor Heartland Payment Systems Inc (HPY.N) said it would settle consumer cardholder class actions tied to claims arising from breach of its system by cyber thieves, and pay up to $2.4 million to class members submitting valid claims. Heartland agreed to pay a minimum of $1 million to class members and take up settlement-related administration costs, including up to $1.5 million for the cost of notice to the settling class. The company will pay up to $760,000 of the costs of attorneys representing the class members. Heartland said it could terminate the deal if costs of notice exceeded $1.5 million, or if it received more than 2,500 requests for exclusion from the settlement class. The deal settles all intrusion-related proceedings by consumers who used the payment cards between Dec. 6, 2007 and Dec. 31, 2008, including those who may allege to have suffered losses, the company said in a statement. Heartland, which agreed to pay $3.6 million last week to settle claims with American Express Co (AXP.N) related to the criminal breach, reported in January this year that cyber thieves hacked its payment system and stole credit card information. Shares of the New Jersey-based company were down 18 cents at $13.29 Monday morning on the New York Stock Exchange. "

Two firms certified to asses a company's compliance with the Payment Card Industry Data Security Standards (PCI DSS) have been placed under remediation by the PCI Security Standards Council. Two firms certified to asses a company's compliance with the Payment Card Industry Data Security Standards (PCI DSS) have been placed under remediation by the PCI Security Standards Council. "We have a contractual relationship with the PCI Security Standards Council and they can pull our certification at any time," Bates said, adding that the firm is working wholeheartedly to remedy the situation. Chris Konrad, senior vice president of client services at Fortrex, did not return a phone call seeking comment. Fortrex's business is U.S-based. The company is in its sixth year assessing service providers and merchants. In addition to being certified to conduct payment application quality security assessments, the firm sells risk management consulting services. It is a reseller in security vendor Qualys Inc.'s PCI Partner Program, according to the company website. Qualys said its "program gives partners generous margins based on their level of certification." The PCI Council launched its quality assurance program for assessors in September to address growing concerns from merchants about the quality of their assessments and other issues. Merchants have complained that some QSAs don't appear to have the technical skills necessary to conduct a thorough assessment. Other merchants have raised issues with QSA's pitching security products during the assessment process. Merchants that receive negative feedback are placed on probation and a revocation process is in place if assessors do not address the issues identified by the council.

In an indication of the legal troubles that companies can find themselves in over data breaches these days, several banks and credit unions have begun suing Heartland Payment Systems Inc. over its recently disclosed data breach. In the six weeks since the potentially massive breach was disclosed, eight banks and credit unions have filed lawsuits against Heartland over its alleged failure to take adequate measures for protecting credit and debt cardholder data. Heartland said on Jan. 20 that unknown intruders had broken into its network sometime last year and accessed payment card data belonging to an undisclosed number of customers. The breach, thought to possibly be the biggest ever disclosed, has already affected over 500 financial institutions, including a handful in the Bahamas, Bermuda and Canada. The lawsuits seek compensation from Heartland for the costs that the financial institutions said they've had to bear in notifying affected customers about the breach and in reissuing new payment cards. The lawsuits also claim damages from Heartland for costs of the alleged fraud that the banks claimed have resulted from the breach.

Visa Inc. said recent alerts it sent to credit card issuers are not related to a new breach, countering reports that a second payment processor had been compromised. In a statement issued Friday, San Francisco-based Visa said the alerts "were part of an existing investigation and are not related to a new compromise event." Credit unions last week reported receiving alerts from Visa and MasterCard about credit and debit card accounts that were exposed in the breach of a payment processor. They reported that the compromise was unrelated to the breach announced by Heartland Payment Systems in January. Information about newly affected accounts was relayed to banks and credit unions Feb. 9, via Visa's Compromised Account Management System (CAMS). The system, which informs banks of compromised account numbers, gives issuers the ability to monitor, close, or block the compromised accounts. Visa's statement did not say what existing investigation the alerts are related to and a company spokesman said he couldn't provide that detail. "Visa has provided the affected accounts to financial institutions so they can take steps to protect consumers," the company said in its statement. "In addition, Visa is risk-scoring all transactions in real-time, helping card issuers better distinguish fraud transactions from legitimate ones." Rich Mogull, an independent consultant and founder of security consultancy Securosis LLC said it's impossible to draw any conclusions based on the Visa statement. "It doesn't say if the breach is public or not, so it may be older but not revealed yet," he wrote in an email. "In other words, it just adds to the confusion. I assume the full story will come out eventually, and since they don't identify the breach it's hard to really evaluate this at all." Heartland disclosed Jan. 20 that its systems were compromised by a hacker in 2008. The breach forced hundreds of banks and credit unions to replace thousands of credit and debit cards.

Two Philadelphia law firms have filed class action suits on behalf of all cardholders in the U.S. who had their credit or debit card data stolen in the Heartland Payment System (HPY) data breach. This brings to three the total number of class action lawsuits filed against the Princeton, NJ-based payments processor. The law firm of Berger & Montague filed a class action suit in the U.S. District Court for the District of New Jersey, alleging Heartland's failure to safeguard cardholder data when the company's computer systems were hacked and cardholder data was stolen. Heartland says last year it processed 100 million card transactions per month, but an unknown number of cards were impacted by the breach. The law firm says fraudulent activity has occurred on some of those cards. The law firm alleges that Heartland's security measures and intrusion detection systems were inadequate. "Because of Heartland's inadequate data security, cardholders have had their card information compromised, have been exposed to the risk of fraud, have spent and will spend time to monitor their accounts and dispute fraudulent charges, and have suffered other economic damages," the law firm says in its statement regarding the suit. Berger & Montague were also co-lead counsel in the consumer class action suit brought against TJX Companies, which resulted in a $200 million settlement. The third class action lawsuit filed in February against Heartland comes from Sheller P.C. of Philadelphia, PA. Sheller's suit against Heartland has similar charges against the payment processor. Sheller P.C. also filed its class action lawsuit in the U.S. District Court for the District of New Jersey. Sheller P.C. has also filed a consumer class action suit against RBS WorldPay for its security breach that was made public on Dec. 23, 2008. Previously, Chimicles & Tilellis LLP of Haverford, PA filed suit in the U.S. District Court for the District of New Jersey on behalf of Woodbury, MN resident Alicia Co

Fireman's Fund Insurance Co. this week unveiled what it says is the first coverage available to small and medium-sized businesses for losses from payment card data breaches. News of the policy came on the same day that a non-profit research organization reported that data breaches increased 47% last year. The idea behind the coverage, according to Brian Gerritsen, product director at Novato, Calif.-based Fireman's, is to give peace of mind to business owners who are diligent about complying with the Payment Card Industry data-security standard, or PCI, the card networks' uniform protection rules that all card acceptors are supposed to meet. "That's what we're really trying to insure against-business owners trying to do everything in their power to protect their customers' cardholder data, but still find themselves in a data-breach situation and out of compliance with the PCI standards or other security standards that may apply to them," he tells Digital Transactions News. To get the coverage, however, a merchant must clear a number of hurdles. An applicant must already have property or liability coverage from Fireman's as well as the company's general data-breach policy first offered in 2006. The new payment card coverage is an add-on to that earlier product. Coverage is available to retailers and most other card-accepting merchants, but not schools and hospitals, says Gerritsen. The insurer excluded the former because of their high rate of data breaches and the latter because they hold extremely sensitive medical and personal data. If breached, a covered merchant could recoup about $160,000 in resulting expenses. That includes up to $50,000 for a PCI-specific forensic investigation, system scans and software, and hardware upgrades to get card security up to snuff. The policy also provides up to $100,000, with a 5% deductible, for PCI fines-"contractual penalties" in industry lingo-and related costs such as chargebacks and issuersâ€

(March 31, 2009) First Data Corp. announced on Tuesday it will use technology from Inside Contactless, a French chipmaker, for its Go-Tag product, a sticker that can be affixed to mobile phones to make them work like contactless-payment devices. Under the three-year agreement, Inside Contactless will supply so-called prelams, or chip-and-antenna elements, that card manufacturers can use to manufacture the stickers for First Data. Up to now, Go-Tags have been proprietary devices for use in so-called closed-loop networks involving individual merchants, but with Inside Contactless's technology the product will likely be usable by mid-year on the payWave and PayPass contactless platforms operated by Visa Inc. and MasterCard Inc., pending certification on those systems, according to industry sources. A First Data spokesperson will not comment beyond Tuesday's announcement concerning the company's arrangement with Inside Contactless to provide prelams for Go-Tags. In addition, CPI Card Group, a card manufacturer based in Littleton, Colo., last fall said it expected to ship millions of contactless stickers based on prelams from Inside Contactless (Digital Transactions News, Oct. 15, 2008). CPI's customers are financial institutions interested in using the stickers to permit contactless transactions on payWave and PayPass. CPI is a manufacturer of Go-Tags, but will not comment on any plans for that product. First Data's deal with Inside Contactless follows by one day an announcement by Blaze Mobile Inc., an Alameda, Calif.-based provider of applications for mobile devices, that it is introducing a similar sticker that will work on the PayPass platform. The product works with the Blaze Mobile Wallet, a service the 4-year-old company launched a year ago when it was known as Mobile Candy Dish Inc. (Digital Transactions News, April 10, 2008). The stickers link to prepaid accounts managed by MetaBank, a Storm Lake, Iowa-based unit of Meta Financial Group Inc. Devel

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009. The Red Flags Rule is an anti-fraud regulation, requiring "creditors" and "financial institutions" with covered accounts to implement programs to identify, detect, and respond to the warning signs, or "red flags," that could indicate identity theft. The financial regulatory agencies, including the FTC, developed the Rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA's definition of "creditor" includes any entity that regularly extends or renews credit - or arranges for others to do so - and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. "Financial institutions" include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

PCI - better than nothing, but still vastly inadequate. - Karl The Heartland Payment Systems and Network Solutions data breaches have thrust the Payment Card Industry Data Security Standard (PCI DSS) into the spotlight, raising the question: Does PCI compliance help in the fight against fraud? David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses: Goods news - and not-so-good-news - about PCI compliance; Unique PCI challenges for merchants and banking institutions alike; What needs to be done to raise awareness of PCI compliance. Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.

The Heartland Payment Systems and Network Solutions data breaches have thrust the Payment Card Industry Data Security Standard (PCI DSS) into the spotlight, raising the question: Does PCI compliance help in the fight against fraud? David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses: Goods news - and not-so-good-news - about PCI compliance; Unique PCI challenges for merchants and banking institutions alike; What needs to be done to raise awareness of PCI compliance. Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.

Heartland Payment Systems, the sixth-largest payments processor in the U.S., announced Monday that its processing systems were breached in 2008, exposing an undetermined number of consumers to potential fraud. Meanwhile, Forcht Bank, one of the 10 largest banks in Kentucky, told its customers it would begin reissuing 8,500 debit cards after being informed by its own card processor of a possible breach. In the case of Heartland, while the company continues to assess the damages inflicted by the attack, Robert Baldwin, the company's president and CFO, says law enforcement has already noted that the attack against his company is part of a wider cyber fraud operation. "The indication that it is tied to wider cyber fraud operation comes directly from conversations with the Department of Justice and the U.S. Secret Service," Baldwin says. The company says it believes the breach has been contained. Heartland, headquartered in Princeton, NJ, handles approximately 100 million transactions per month, although the number of unique cardholders is much lower. "It is still a question as to the percentage of the data flow they were able to get," Baldwin says, adding he would not speculate on the number of cards potentially exposed. Specifics surrounding when the breach occurred are still being analyzed. But Baldwin says two forensic auditing teams have been working on the breach analysis and investigation since late 2008, after Heartland received the notification from Visa and MasterCard. The investigation began immediately after the credit card companies told Heartland they saw suspicious activity surrounding processed card transactions. Described by Baldwin as "quite a sophisticated attack," he says it has been challenging to discover exactly how it happened.