FBI: No credit card data breach in US state server case

18.04.2006
An FBI investigation has concluded that no consumer credit or debit card information was stolen from a New Hampshire state computer server in February because a suspect Cain & Abel password recovery program found on the hardware had never been activated.

In an announcement on Friday, New Hampshire Attorney General Kelly Ayotte said that the FBI probe determined that no data theft occurred because the program, which can be misused by hackers for malicious purposes, was never run. 'As a result of this finding, the state has concluded that it is very unlikely that any credit card or debit card information was accessed by identity thieves,' Ayotte said in a statement.

The FBI, the U.S. Department of Justice and New Hampshire officials began investigating the potential security breach after Cain & Abel was found on a state server during a routine security check two months ago. The New Hampshire Division of Motor Vehicles and the state Veterans Home used the server to transmit financial information, while the New Hampshire Liquor Commission used it as a backup for sales transactions. The server held only credit card numbers; no other personal information was stored on it, officials said.

The inquiry led officials to place an unnamed Office of Information Technology (OIT) employee on paid leave as part of the investigation.

The employee, who identified himself last month as Douglas A. Oliver, 44, said Monday he has received a letter from the OIT telling him that he can return to work on April 25. Oliver confirmed that he will go back to work next week, but declined to comment on the letter.

Oliver, a Web middleware engineer who was placed on paid leave Feb. 17, said last month that as a member of an OIT security audit team, he installed and used a collection of software tools, including Cain & Abel -- a password-recovery program for Microsoft products -- so that the state's IT security could be accurately tested against real-world intrusions. The work was done with the knowledge and endorsement of OIT managers, he said.