Extortionist Puts Credit Card Data On Web

Latest In Series Of Online Credit Card Thefts

(AP)  The FBI is looking for a hacker who put thousands of stolen credit-card numbers on the Web after a $100,000 extortion demand was ignored.

More than 55,000 numbers were stolen from creditcards.com, which processes credit transactions for online companies. About 25,000 of them were posted online when the extortion payment was not made, creditcards.com spokesman Laurent Jean said Wednesday.

The Web site containing the numbers has since been taken down, said FBI spokesman Matthew McLaughlin. The hacker has not been caught.

It is the latest of several attacks against companies with online operations in which hackers sought money after stealing credit card information.

The hacker, who appeared to be from Russia, contacted creditcards.com about three months ago, the company said in an e-mail sent to its merchants on Monday. Creditcards.com said it responded by immediately adopting a policy of refusing to cooperate with hackers or meet extortion demands.

The company said it also hired security consultants to help improve its ability to protect data and is cooperating with authorities investigating the matter.

One of the company's merchants, ihateshopping.net in Tacoma, Wash., said it was contacted by the hacker earlier this week and quickly downloaded all of the credit card numbers provided.

The company has since created a page where potential victims can enter their name and address to determine if their credit card was compromised, said Harry Widdifield, owner of ihateshopping.net, an online shopping service.

"We think it's the most judicious use of the information that was given to us by the hackers possible," Widdifield said. "I'm surprised creditcards.com didn't handle it this way. They didn't, we have."

Widdifield, whose wife's corporate card was on the hacker's list, said he plans to find a new company to handle credit card transactions.

"They have one job and that's to mind the store," he said. "In the brick-and-mortar world banks have vaults to keep things safe. We should expect the same things from places like creditcards.com."

An executive with Urban Golf Gear, another creditcards.com merchant, said none of the 550 people on its customer list reported illegal card charges.

The Oakland-based company's chief executive officer, Craig Tanner, said he first learned of the security breach Monday when the hacker contacted him by e-mail.

"I put my trust in creditcards.com to have a secure system," said Tanner, whose company sells hip golf clothing. "Nobody told me these credit cards were stolen."

Creditcards.com is just the latest of several online companies to be victimized in such a way.

• Last year, music retailer CD Universe was the victim of a hacker who stole about 300,000 credit card numbers and posted some of them online when an extortio fee was not paid.
  
  
• Other companies that have recently had credit card numbers obtained by hackers include:
  
  
• SalesGate.com of Buffalo, N.Y., which learned earlier this year that hackers had stolen thousands of credit card numbers from a site it thought was secure.
  
  
• RealNames, an Internet search service with as many as 20,000 card numbers on file, which learned of a hacker infiltration in February.
  
  
• Western Union, which shut its Web site for five days in September after a security breach allowed hackers to steal the credit or debit card numbers of more than 15,000 customers.