Up to 130 ATM machines in 49 cities worldwide were used in a coordinated attack on RBS Worldpay, a global payments services company. Within a 30 minute period on November 8th, 2008, the company lost an estimated $9 million dollars due to fraudulent ATM transactions.
While the company first disclosed the loss in November, the ambitious scale of the attack has only recently come to light. John Deutzman of Fox News in New York first reported the background on the attack on Monday.
According to the Fox investigation and statements from the FBI, someone gained access to the RBS Worldpay system. RBS issues payment cards which can be used like debit cards in any ATM worldwide. Whoever gained access to the RBS system was able to clone these cards and may have been able to obtain personal information about the account holders.
RBS officials told Fox they have sent out letters to anyone who might have been affected and are offering one-year credit protection for any one whose Social Security number may have been exposed.
There's a twist, however. Since ATM machines have a limit on how much you can withdraw in any one day, these cards had that limit lifted, allowing the "cashers," the individuals who walked up to the ATM, to withdraw very large quantities of cash. Authorities speculate that only 100 cloned card accounts were used at ATMs located in Atlanta, Chicago, New York, Montreal, Moscow and Hong Kong.
In the US, the FBI has circulated photos of the individuals withdrawing cash at the time of that attack. The hope is that one of these individuals will identify who hired them and move authorities closer to finding those responsible.