Payments vendor Charge Anywhere has confirmed a data breach that may have exposed payment card numbers dating back to late 2009, Bank Info Security reported.
The New Jersey company, which routes transactions from merchants to their payment processors, discovered malware on its systems on Sept. 22 and hired a security firm to investigate, Charge Anywhere said in a notice on its website. The investigation revealed that an unauthorized individual gained access to the company's network and installed the malware to capture outbound network traffic.
Much of the outbound traffic was encrypted, but some unencrypted outbound messages showed transaction authorization requests. Only traffic originating from Aug. 17 through Sept. 24, 2014, appeared to be compromised, but "the unauthorized person had the ability to capture network traffic as early as Nov. 5, 2009," the company said.
Compromised data includes cardholder name, account number, expiration date and verification code.
The company said it has been working to further strengthen its security measures following the incident, and that it has also been working with card companies and processors to provide them with a list of merchants and the account numbers for cards used during the breach period.