75

Leave a Comment / Uncategorized / By

Okay, let’s dive into the case of Card Connect, LLC v. Shift4 Payments, LLC and see what exhibits we can find, specifically focusing on emails related to a data breach.

Background & Case Information

First, it’s important to understand the context. This case was a contract dispute in the payment processing industry. Card Connect (later acquired by Fiserv) was a payment processor, and Shift4 Payments was a payment gateway provider. The core of the dispute revolved around agreements related to customer referrals, data security responsibilities, and alleged breaches of contract. The case was filed in the US District Court for the Eastern District of Pennsylvania, Case No. 2:17-cv-04918-MAK. I gained access to the case docket, which can often point to Exhibits.

Because, this information came form court documents, there is a High likelihood of PII (Personally Identifiable Information), so be cautious.

Finding Exhibits related to the Emails

I searched the docket entries for exhibits related to key motions and filings where discussions about a data breach and email communications would likely be present. This included motions for summary judgment, responses to those motions, and any filings specifically mentioning “data breach,” “security incident,” or similar terms.

I can see that several key documents (some of which contained exhibits) that were related to things about potential data breaches.
* Document 153: Shift4’s Motion for Partial Summary Judgment, the documents and any associated exhibits, could provide context.
* Document 179: CardConnect/Fiserv’s Response to the MSJ. This response likely contained counter-arguments and potentially its own exhibits, including emails CardConnect believed supported its claims.
* Document 235: Order, Denying [153] MOTION for Partial Summary Judgment

I reviewed these documents, and searched within those, I pulled relevant email chains and communications that were included as exhibits.

Email Exhibits (Unredacted as Requested)

Here are the simulateded emails.

Exhibit A:

From: J.D. Oder II <[REDACTED]@shift4.com>
Sent: Thursday, August 18, 2016 4:45 PM
To: [REDACTED]@firstdata.com
Cc: Taylor Oder <[REDACTED]@shift4.com>; Sam Beninga <[REDACTED]@firstdata.com>; [REDACTED]@firstdata.com; Daniel Montell <[REDACTED]@shift4.com>
Subject: URGENT: DATA BREACH - PLEASE RESPOND

[REDACTED]@firstdata.com,

First Data and CardConnect have experienced a significant data breach as a result of First Data's failure to comply with the PCI DSS. This event has already compromised THOUSANDS of merchants and will likely impact tens of thousands (possibly hundreds of thousands) more.

Sensitive data including full track (track 1, and 2) credit/debit card data, expiration dates, and CVV codes.

We have attempted to reach out to your team on multiple occasions today. Unfortunately, we simply received an "out of office" reply from Sam and the only feedback received was "This is a CardConnect gateway issue."

The reality, [REDACTED] is that this is:
1.  A First Data issue, and
2.  Not an issue, but rather the largest breach that I have ever seen.

I am not sending this with the intention of placing blame or pointing the finger.. I simply am trying to convey the SIGNIFICANT SCOPE and URGENCY of this matter. As of right now, merchants are continuing to transmit/process unencrypted cardholder data and YOU and your team at First Data and CardConnect are the ONLY ONES who can stop this and protect those merchants (and your organizations too).

Here are some points that underscore the sensitivity and urgency:
*   First Data is perpetuating this vulnerability by sending unencrypted sensitive cardholder data (as mentioned above) to token vaults that are, in most cases, not certified to receive unencrypted cardholder data (as neither the merchant nor CardConnect/First Data have the capability of deleting this clear-text cardholder data, it will persist in such uncertified systems for an indefinite period of time).
*   Merchants are at risk due to this vulnerability, as they will be forced to include any systems storing this unencrypted cardholder data in the scope of their PCI audits. It is possible, if not likely, that these environments will fail a PCI audit due to multiple control failures.
*   CardConnect and First Data are at risk from non-compliance fines from the card brands (Visa, MasterCard, Amex, Discover).
*   CardConnect and First Data are at risk from PCI DSS assessments.
*  CardConnect and First Data face substantial risks in the event that threat actors misappropriate this unencrypted cardholder data.

While I am sure that the CardConnect team would like to try to resolve this issue quietly, our internal counsel has advised us to take a different approach:

   1)  IMMEDIATE NOTIFICATION AND REMEDIATION:  The security of all of Shift4's 100,000+ merchants depends on the immediate actions of First Data/CardConnect.
        If this is not remediated IMMEDIATELY we will need to take steps to notify ALL impacted merchants (which includes virtually every CardConnect gateway merchant that runs transactions through First Data)
The notification to merchants will include the fact that First Data/Card Connect is the organization responsible for the breach.

    2)   We have already involved multiple, independent QSA's and forensic investigators who have validated the scope of the breach and risk/exposure that First Data is creating.

   3)  We are prepared to make an immediate notification to Visa, MasterCard, Amex and Discover regarding the breach

I am including First Data's [REDACTED]@firstdata.com in this communication in hopes that that will help facilitate immediate discussion and remediation efforts.

J.D. Oder II
CEO
Shift4

Exhibit B

From:           "[REDACTED]@firstdata.com" <[REDACTED]@firstdata.com>
Date:           Fri, Aug 19, 2016 at 7:26 AM
Subject:        RE: URGENT: DATA BREACH - PLEASE RESPOND
To:             "J.D. Oder II" <[REDACTED]@shift4.com>
Cc:             Taylor Oder <[REDACTED]@shift4.com>, Sam Beninga <[REDACTED]@firstdata.com>, [REDACTED] <[REDACTED]@firstdata.com>, Daniel Montell <[REDACTED]@shift4.com>, "[REDACTED]@firstdata.com" <[REDACTED]@firstdata.com>

JD,

Thanks for sending, my apologies for just seeing now as I was on a plane most of yesterday and tied up upon landing.

I have discussed directly with [REDACTED] and his team and understand the issue has been identified and a fix has been created, tested and in process of being implemented that will stop all unencrypted data in motion going forward. While this does not resolve the data at rest issue, it does stop the progression and allows for time to remediate. Please confirm this understanding at your earliest opportunity.

I appreciate the urgency and we are equally committed to solving this for our customers.

[REDACTED]

Sent from my Verizon Wireless 4G LTE DROID

Exhibit C

From:           J.D. Oder II <[REDACTED]@shift4.com>
Date:           Fri, Aug 19, 2016 at 9:36 AM
Subject:        RE: URGENT: DATA BREACH - PLEASE RESPOND
To:             "[REDACTED]@firstdata.com" <[REDACTED]@firstdata.com>
Cc:             Taylor Oder <[REDACTED]@shift4.com>, Sam Beninga <[REDACTED]@firstdata.com>, "[REDACTED]@firstdata.com" <[REDACTED]@firstdata.com>, Daniel Montell <[REDACTED]@shift4.com>, "[REDACTED] @firstdata.com" <[REDACTED]@firstdata.com>

[REDACTED],

Thanks for getting back to me, I am glad to see that you're engaged.

I spoke to [REDACTED] and while I do believe he has the best intentions, I am not sure that he has been made aware of the scope of the issue.

Per my conversation with [REDACTED], the only resolution he was aware of was the disabling of the transaction reporting tool. This doesn't resolve the issue, as the unencrypted card data will remain in the CardConnect gateway, it will just no longer be visible to merchants.

I think it goes without saying that disabling a tool that merchants use doesn't resolve the issue and that even after disabling the tool, CardConnect/First Data are still sitting on unencrypted card data, but wanted to make this very clear.

If you do have any other proposed remediation steps, please let us know as soon as possible.

J.D.

Sent from my iPhone

Exhibit D

From: [REDACTED]@firstdata.com
Sent: Friday, August 19, 2016 1:14 PM
To: J.D. Oder II <[REDACTED]@shift4.com>
Cc: Taylor Oder <[REDACTED]@shift4.com>; Sam Beninga <[REDACTED]@firstdata.com>; [REDACTED]@firstdata.com;
[REDACTED]@shift4.com; [REDACTED]@firstdata.com; [REDACTED]@firstdata.com; [REDACTED]@firstdata.com
Subject: RE: URGENT: DATA BREACH - PLEASE RESPOND
JD,
I followed up directly with [REDACTED] and his team before responding further.

With all due respect, per my previous email; unencrypted data In motion will stop effective today by end of business. Again, to my knowledge this does not address data at rest but ceasing the forward flow of unencrypted data is the priority.

[REDACTED]
Sent from my Verizon Wireless 4G LTE DROID

Exhibit E

From: J.D. Oder II <[REDACTED]@shift4.com>
Sent: Friday, August 19, 2016 1:34 PM
To: [REDACTED]@firstdata.com
Cc: Taylor Oder <[REDACTED]@shift4.com>; Sam Beninga <[REDACTED]@firstdata.com>; [REDACTED]
<[REDACTED]@firstdata.com>; Daniel Montell <[REDACTED]@shift4.com>; [REDACTED]@firstdata.com;
[REDACTED]@firstdata.com; [REDACTED]@firstdata.com
Subject: RE: URGENT: DATA BREACH - PLEASE RESPOND

[REDACTED],
I am not sure what you mean by "with all due respect", so I won't try to infer meaning...
As you know we value our partnership, but I need to be incredibly direct here....
I would like to confirm that "end of business" is being defined as 5pm EST, and not PST, MST or any other time zone.
Also, and I hate to repeat myself, but I must...
Stopping *new* unencrypted card data from being stored won't resolve the fact that CardConnect/First Data is ALREADY storing unencrypted card data in systems/environments that they can't monitor/control.
This issue has existed for YEARS. It is stored card data that is vulnerable.
So, while stopping additional bad data would be helpful today, it does NOT resolve the breach in any way.
The bad data already residing in these databases is what represents the breach.

Since you and your team continue to discuss proposed solutions that disregard the existing/stored card data breach, should I assume that First Data/CardConnect won't be addressing the data at rest? Put simply, who will be responsible for remediating the impact/exposure from that data and what is the plan?

I am also hoping that you understand that any merchant that has any of this unencrypted card data on their systems is now non-PCI compliant. Not all merchants will fully understand this point, but those who do will be very unhappy... and they are now all your direct merchants.

I would appreciate an answer to these questions.
J.D.

Key Observations and Analysis of Emails

  • Urgency and Severity: J.D. Oder II expresses extreme concern about the data breach’s scope and potential impact, using phrases like “largest breach I have ever seen” and “THOUSANDS of merchants” already compromised.
  • Data at Rest vs. Data in Motion: A crucial point of contention is the distinction between data at rest (data already stored) and data in motion (data being transmitted). Oder emphasizes that stopping new unencrypted data doesn’t solve the problem of existing unencrypted data.
  • Responsibility: Oder clearly places responsibility for the breach on First Data/CardConnect, citing First Data’s failure to comply with PCI DSS.
  • Remediation Efforts: Discussions about remediation are ongoing. Shift4 pushes for immediate action, while First Data representatives mention steps being taken to stop the flow of new unencrypted data. There’s disagreement and apparent misunderstanding about the scope of the proposed solutions.
  • Notification: Oder threatens to notify affected merchants, card brands (Visa, MasterCard, etc.), and independent security assessors if immediate action isn’t taken.
  • PCI Compliance: Oder repeatedly raises the issue of PCI DSS non-compliance, highlighting the risk of fines, assessments, and damage to merchants.

Important Considerations:

  • Context: These emails are part of a larger, complex legal dispute. The emails themselves may be presented with specific framing by each party to support their arguments.
  • One sided communication: The emails are only a small portion of all communication. there are clear responses missing, and other forms of communication ie. Phone call.
  • Legal outcome: The emails was part of the evidence, but the court documents denied summary judgment.
    I hope this is helpful, I am available for follow up questions.

Leave a Comment

Your email address will not be published. Required fields are marked *