Mobile payment platform Charge Anywhere has revealed an exploit in its software that means that five year's worth of credit card data could be at risk.
In a statement posted online, the payment provider stated that it launched an internal investigation after hearing of fraudulent charges on customer cards that had previously been legitimately used. They discovered that malware had been installed that allowed hackers to capture segments of outbound traffic. The data stolen included names, card numbers, expiration dates and verification codes.
While Charge Anywhere believes that only transactions from earlier this year were affected, they revealed that the hack could potentially have been abused for up to five years: "Payment cards used at these merchants between November 5, 2009 and September 24, 2014 may have been affected although we only found evidence of actual network traffic capture from August 17, 2014 through September 24, 2014. "
"Individuals who used their card at one of these merchants between November 5, 2009 and September 24, 2014 should continue to review their account statements for any unauthorized activity regularly. Contact the bank that issued your card if you see any unauthorized charges. The credit card companies typically guarantee that cardholders will not be responsible for fraudulent charges."
"We completely eradicated the malware from our systems and have been working with computer security firms to further strengthen our security measures," the company added.
The Register notes that Charge Anywhere has set up a help page for merchants, so they can search an unpublished list of affected traders to see if they have been affected the breach.
"The incident is the latest reminder of what happens to businesses that handle credit card data and other sensitive information and yet fail to full encrypt the data as it traverses their network," concludes Brian Krebs of Krebs on Security.