The story of a substantial loss – apparently due to criminal manipulation of withdrawal limits for pre-paid Sunrise cards issued by FIS – dates back to May, but notice only now is bubbling into public attention.

“It surprises me how little notice is being given to this loss,” said security blogger Brian Krebs, a onetime Washington Post reporter and a leader in reporting on financial institution security.

News Update, April 10, 2012: NCUA Advises Credit Unions to Evaluate Relationship With FIS
         

A recent Krebs blog posting is what has shined a new light on the story.

First notice came in May in the FIS earnings release, where the Jacksonville, Fla., company wrote: “FIS incurred a loss of approximately $13.0 million, or $0.03 per share, during the first quarter of 2011 related to unauthorized activities involving one client and 22 prepaid card accounts on its Sunrise platform. The Company has identified that 7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities. FIS worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter.”

Krebs, in his blog, reported on what he said actually went down, citing sources he said were close to the investigation: “Cyber thieves broke into the FIS network and targeted the Sunrise platform’s ‘open-loop’ prepaid debit cards. The balances on these prepaid cards aren’t stored on the cards themselves; rather, the card numbers correspond to records in a central database, where the balances are recorded. Some prepaid cards cannot be used once their balance has been exhausted, but the prepaid cards used in this attack can be replenished by adding funds. Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period.

“Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.”

And the losses multiplied, apparently climbing to $13 million very quickly.

Krebs added in a telephone interview: “I have to wonder how many breaches just like this haven’t gotten reported.”

FIS, a major supplier of card and core processing services to credit unions, has not responded to a request for comment.