I just read a story about a server breach at 1st Source Bank located in Indiana, USA. What caught my eye though was the fact that the breach was detected due to a massive numbers of fraudulent ATM transactions in Europe (specifically in Russia, Ukraine, Turkey and the Czech Republic) a month (!) later. These fraudulent activities were traced back to that server located across the ocean.
I presume that an individual (or an organization) hacked into the server, stealing data which was sold to different (or a network of) sources in Europe. These criminals then created debit cards based on this information to commit the fraud. The article does not specify the type of data which was stolen, but obviously it was enough to create the cards and furthermore, it must have also contained the secret PIN of the victims - after all, a PIN is required to extract money from the ATM. Well, at least this is how I read between the lines.
This incident emphasizes the motivation behind the PCI-DSS requirement which specifies that the PIN should not be stored at the database at all, nor the raw Track data. This leaves many open questions and me quite curious to know the turn out of the breach investigation.
