A third-party processing company should not have been keeping records stolen weeks ago by online thieves in a security breach that could have exposed 40 million credit-card numbers to fraud, the company's chief executive officer (CEO) told The New York Times over the weekend after the breach was revealed last Friday.

The breach may trace back to mid-April when MasterCard International noticed atypical levels of fraudulent charges, according to the Times. The stolen records, which included 200,000 of the 40 million that were potentially compromised, were in a computer file stored for "research purposes" at CardSystems, CEO John M. Perry is quoted as saying in the newspaper.

"We should not have been doing that," the newspaper quotes him saying. "That, however has been remediated." The company no longer stores sensitive data on files, he said. The research the records were saved for involved ascertaining why some transactions were unauthorized or incomplete.

The breach occurred at CardSystems' Tuscon, Arizona, operations center, MasterCard said Friday when it disclosed the incident. MasterCard launched an investigation into the matter, which also is being probed by the U.S. Federal Bureau of Investigation (FBI). The FBI was notified of the breach on May 23, according to a statement from CardSystems. The company has installed improved and additional security procedures that a investigation security assessor recommended, it said in the statement.

Neither MasterCard or CardSystems could be reached for direct comment about the security breach. CardSystems processes transactions for more than 105,000 small to midsized businesses annually, as well as more than $15 billion in yearly transactions for MasterCard, Visa, Discover and American Express and online debit, according to the company Web site. 

Meanwhile, security vendor Secure Computing Inc. found the first phishing scam using MasterCard in the subject line to alarm e-mail users after the breach was revealed. The initial scam seemed hurried as it didn't mention the security breach and may be an old scam making the rounds again. Secure Computing expects scams to continue and to also be more sophisticated in the coming days, specifically referring in subject lines or body text to the latest big-news breach.

"Consumers should definitely be aware," said David Burt, public relations manager for Secure Computing, based in Seattle.

This latest high-profile breach involving a large number of credit-card numbers will undoubtedly figure in upcoming debates in the U.S. Congress, which already has more than 20 bills in the works that deal with identity theft in some way or other.

The public disclosure of the CardSystems breach, even though it was made weeks after it actually occurred, is likely somewhat in response to California's Senate Bill 1386, which deals with privacy and personal information, said Paul Stamp, an analyst with Forrester Inc., in Cambridge, Massachusetts. More such disclosures should be expected, he said.

"These things are going to happen," he said. "They probably always did." The difference now is that the public is demanding accountability.

CardSystems undoubtedly has plenty to answer for. The Times reported that the stolen data wasn't encrypted, and credit card companies gave statements saying that CardSystems wasn't following their proper security requirements. "MasterCard is giving it a limited amount of time to demonstrate compliance," the company said in a statement.

InfoWorld: Top News

DÜSSELDORF, GERMANY - Microsoft has filed a suit against a company in Germany that it alleges is at the center of a network of companies in the U.S. and Ukraine distributing unsolicited e-mail.

The company, which is registered in the state of North Rhine Westphalia, is the source of millions of unsolicited e-mail messages, or spam, Microsoft said Monday in a statement issued on its German-language Web site.

Microsoft declined to disclose the name of the company.

The English-language spam messages promote companies offering Web site design and development services, in addition to online casinos and pornographic Internet sites, according to Microsoft. Some users of Microsoft's Hotmail service have received thousands of unwanted advertising messages from Internet companies located in North Rhine Westphalia, the U.S. software company said.

The owner of the company at the center of the spam ring operates numerous Web sites, which he uses to send unsolicited e-mail for a fee or to sell addresses, according to Microsoft.

The owner, who now resides in Germany after having lived for a long time in the U.S., denies the allegations, claiming his partners are out of control, Microsoft said.

Whether Microsoft can halt the flow of spam spewing from companies in Germany remains to be seen, however. Currently, the country has no law against spam distribution.

To sidestep this legislative hole, Microsoft is seeking an injunction to shut down the alleged spammer in North Rhine Westphalia under German fair-trade laws.

InfoWorld: Top News

Filling a conspicuous hole in its suite of search engine services, Microsoft Corp.'s MSN division plans on Tuesday to add a local search tab to its search engine that will return location-specific listings for businesses and people.

The new MSN Local Search service will be offered in beta, or test, mode, and will also place query listings on a map from the company's MapPoint Web Service, according to a Microsoft official.

MSN Local Search also will feature aerial images plucked from the company's TerraServer-USA database when they are available, said Erik Jorgensen, general manager of MSN Local Search and Maps.

In addition to listings, the local service will also deliver relevant Web pages, chosen using an existing MSN technology called Near Me that identifies pages in the search engine's general index with location-specific tags, he said.

For example, a search for the term "dry cleaners" in Dallas will retrieve appropriate business listings but may also deliver a newspaper article naming the best dry cleaning providers in the area.

MSN Local Search will later be enhanced with the launch of MSN Virtual Earth, a new service that will let users superimpose driving routes, places and weather information on maps and satellite images. MSN Virtual Earth should become available before the end of the U.S. summer on Sept. 22, Microsoft said last month.

Once MSN Virtual Earth is in place, users will be able to engage in a truly "immersive" local search experience, by navigating on a map or aerial image, getting a sense of what an area is like and discovering options on, for example, where to have dinner and go to a play or a concert, Jorgensen said.

"We're still in the early stages of local search. There's still a lot we can to improve and further innovate," he said.

Microsoft is trailing its main search engine competitors in local search. Google, Yahoo, Ask Jeeves and America Online all have local search tabs on their search Web sites. Google in particular gives users the option of viewing not only maps but also satellite or aerial images, a similar concept to the one Microsoft is pursuing with MSN Virtual Earth.

Demand for local search services has grown as users discover the benefits of running queries that limit results geographically, a convenient feature when looking for local businesses and places. Meanwhile, local search is also attractive to advertisers, particularly those that operate in specific cities or areas, because they can target their ads only at Web searchers looking for information about that location.

InfoWorld: Top News

Update: SAP lures top execs from rivals

Several top names in the who's who of business application software have abandoned Oracle and Siebel Systems to join arch rival SAP.

After dropping hints last week, SAP confirmed on Monday that the Walldorf, Germany, company has lured more than 200 people away from its competitors, including a handful of top executives. The new hires reflect a dramatic shift in the movement of talent in Silicon Valley, the company said in a statement.

"They send a signal around the Valley that SAP has a winning team," said Joshua Greenbaum, a principal at Enterprise Applications Consulting, in Berkeley, California. "People want to be part of a winning team."

The German software vendor is now emerging as an "American company," Greenbaum said. One of the goals of SAP board member Shai Agassi, who is responsible for the company's product and technology group, is to "turn SAP into a Silicon Valley company and not one that just has an office there," he said.

SAP wants to be "on the inside," Greenbaum said.

The exodus of talent at Oracle comes as the database giant struggles to incorporate both new products and people acquired through its purchase of PeopleSoft.

Siebel has responded to its outward flow of talent by launching an employee retention program.

The U.S. software company has lost a vital executive to SAP: Nimish Mehta, was responsible for Siebel's high-growth Customer Data Integration division. In his new role as senior vice president of enterprise information management at SAP, Mehta will create new product strategy for products focused on structured and unstructured data. Before joining Siebel, he had worked at Oracle for more than a decade.

Also joining SAP from the Siebel ranks are Richard Campione and Bob Stutz. Campione was formerly in charge of the group's financial services and public sector business. At SAP, he will be responsible for industry solution marketing. Stutz, who was in charge of 21 vertical product lines at Siebel, will lead SAP's strategic application development, responsible for the analysis, design, coding and testing of new software, enhancements and corrections to existing software.

Like Siebel, Oracle has also lost three top executives to SAP: Mike Mayer, Dan Rosenberg and John Zepecki. Formerly in charge of driving large IT infrastructure projects funded by development organizations such as The World Bank, Mayer will assume a similar role at SAP. Rosenberg, who headed Oracle's research and development for usability design, will be responsible for user interface development of all SAP products, including application user interfaces and the design of the group's NetWeaver integration platform.

Zepecki will be in charge of developing SAP's xApps systems and supporting the group's composite application initiatives. At PeopleSoft, which is now owned by Oracle, he was responsible for the company's enterprise performance management product line and financial management portal systems.

Other new hires include Doug Merritt and Gordon Simpson. Merritt, who was formerly with Quest Software Inc. and PeopleSoft, will be in charge of providing enhancements for the mySAP Business Suite, among other tasks. Simpson, the former Chief Technology Officer of BEA Systems, will take over as vice president of SAP's applied technology, product and technology group.

In January, SAP was able to lure George Paolini away from Sun Microsystems. At Sun, Paolini made a name for himself by helping build the company's Java development community.

A low-cost smart phone from Microsoft code-named Peabody is nearing completion and will run on the recently released Windows Mobile 5.0 operating system, an executive from the software giant said Tuesday.

When the phone platform was first discussed in February, Microsoft planned to aim it at emerging markets such as India and China. But the company has since decided to offer it in all parts of the world, since "everyone is interested in low costs," said Ya-Qin Zhang, corporate vice president at Microsoft's mobile and embedded devices division, during an interview in Taipei.

The software for the mobile phone, which includes some computing functions similar to those found in a personal digital assistant, has been completed, and Microsoft is working with contract manufacturer Flextronics International to design the hardware, with an eye to keeping the price as low as possible, Zhang said.

"We're going to make this available to our OEM (original equipment manufacturing) partners. I don't have a detailed time frame, but the work is coming along pretty well," he said. The planning and development are already done and only the hardware integration remains, he said.

Once finished, the smart phone's specifications will be offered to contract manufacturers globally as a way for them to quickly enter the smart phone business.

The handset will run on a full version of Windows Mobile 5.0, not a stripped down version, Zhang said. It will work on both GSM (Global System for Mobile Communications) and GPRS (General Packet Radio Service) networks.

Sybase has announced two deals to provide business-intelligence software to two Chinese companies, including white-goods maker Haier Group.

Haier, based in the northeastern Chinese city of Qingdao, will use Sybase's Dynamic Operational Data Store (ODS) to pull data from its transaction processing systems, Sybase said in a statement. The Dynamic ODS system is slated to be operational in September 2005 and will give Haier's management the ability to view information about operations across the entire company, it said.

In a separate deal, Sybase has provided its Industry Warehouse Studio (IWS) for Insurance business-intelligence system to Taikang Life Insurance Co., in Beijing. Taikang has completed the first phase of a planned roll out of the system, which is intended to help the company prepare for increased competition from foreign insurance companies entering the Chinese market, Sybase said.

Taikang is using this business-intelligence system to analyze customer information that previously was spread across disparate computing systems, it said.

Sybase did not disclose the financial terms of either deal.

Seagate Technology will start shipping next year a security technology for some of its hard-disk drives that will make life more difficult for notebook PC thieves to read stolen data, it said Tuesday.

The technology, called Hardware-Based Full Disc Encryption (FDE), automatically encrypts all the data written to the drive, according to Mark Pastor, strategic marketing senior director at Seagate.

"Before data gets placed on the media, it goes through the encryption...if you steal the drive and are a lab that specializes in retrieving data on the media, it doesn't matter. When you get the data off, it's gibberish," he said.

The encryption is Triple DES (Data Encryption Standard), a widely used encryption standard, he said.

The company is initially offering the FDE technology as an option on its upcoming range of 2.5-inch Momentus 5400 series drives. These drives will start shipping in the first half of next year and are designed for notebook PCs, Pastor said.

"Notebook PCs have two key attributes: they are used by a lot of business travellers and they are easily lost or stolen. Protecting notebooks is our first priority," he said.

The technology will be available for notebook PC makers on 40GB, 80GB, and 120GB versions of the Momentus 5400-series drives, which will have a spin speed of 5,400 rpm and use the Ultra ATA-100 interface.

The hard-disk drives with the encryption technology will have exactly the same performance as the drives in the series that don't use the technology. But the drives with the security feature will be more expensive, Pastor said. Pricing for the drives was not available.

Seagate estimates that about 10 percent of the Momentus 5400 series could be shipped with the security technology. If the feature catches on, the company will extend the option to a broader range of disks, he said.

In addition to offering the FDE technology, Seagate will offer software tools to customers so that they are able to add their own security features, for example biometric systems such as fingerprint scanners, to work with Seagate's technology, he said.

InfoWorld: Top News

After registration, a user will be able to review and correct or update the following Member Information: Email address; Address, city, state, ZIP Code, country, phone number(s) and fax number; Password; and Credit card information, if supplied. If any of the above information is changed, Mpelembe Network may keep track of and maintain copies of prior information as well as the new information, but is not obligated to do so.

In your registration to become a member of the Service, you hereby understand that the Service is designed for the general public. The information we request on the Service is personal information. Any personal individual information you provide on the Service will be treated as information that identifies you. Registration Information Through our online registration process, we collect a variety of information about your business, which may include (among other things) the name , address, phone number, email address