June 22, 2005 4:00 AM PDT

Consumers, retailers grapple with data theft

Consumers are being left in the dark as the credit card industry cleans up after a digital break-in that put millions of accounts at risk.

Pressure is mounting for companies to alert individual cardholders whose details were exposed by the breach at data processor CardSystems Solutions. But representatives for JP Morgan Chase, Citigroup and MBNA said they would not notify customers unless the accounts are actually abused. At that point, the providers would close the account and issue a new card, they said.

That approach irks lawmakers who are fighting for full disclosure in the event of a data security breach. People should be able to decide themselves if they want to close their account after their personal information has been leaked, they said.

News.context

What's new:
Consumers are being left in the dark as the credit card industry cleans up after a digital break-in that put millions of accounts at risk.

Bottom line:
With the cost of the breach not yet clear, lawmakers and other parties are keeping a close eye on the impact it's having on customers and on the credit card industry's response.

More stories on personal data security

"The consumer, not the company, ought to be able to make the judgment, to the extent he wants to be at risk," said California state Sen. Joe Simitian, a Democrat from Palo Alto. "Consumers can't protect themselves if they are not informed."

With the cost of the breach not yet clear, lawmakers and other parties are keeping a close eye on the impact it's having on customers and on the credit card industry's response. Online retailers, which often bear the cost of credit card scams, are especially concerned about a possible influx of fraud.

In the break-in, reported Friday by MasterCard, the intruder got access to names, account numbers and verification codes for 40 million credit cards that could be used to commit fraud. Records covering about 200,000 cards are thought to have been transferred out of CardSystems' network. Despite this, Chase doesn't plan to inform individuals whose data was leaked.

"We are not going out to however many customers of ours that are affected," said David Chamberlin, a spokesman at Chase, which has issued 94 million credit cards in the United States. "Right now, we are dealing with potential fraud. If we find fraud or believe our customers are at high risk of fraud, we will contact them as soon as possible."

Chase's stance is echoed by Citigroup and MBNA. Representatives for both financial services providers said that they will closely monitor the accounts that are known to be exposed. The companies are advising all customers to keep a close eye on their online and monthly statements.

American Express is still weighing whether it should contact individual customers, a representative said Tuesday.

"We are not going out to however many customers of ours that are affected."
--David Chamberlin, spokesman, Chase

The issuers' approach would appear to put them in contravention of a California law that requires businesses to alert consumers if their personal information might have been stolen from a computer database. Sen. Simitian authored that law, the Security Breach Information Act, which came into effect two years ago.

"If somebody has your name and your credit card number and all the information needed make purchases on your account, you need that information to protect yourself," Simitian said. "If Chase continues to take the position that it (the law) does not require them to provide notice, I will do another bill if I have to."

On the national level, Sen. Dianne Feinstein, a Democrat representing California, is urging all credit card companies to contact affected customers. The CardSystems breach is a clear example that the industry is failing when it comes to protecting consumer data, she wrote in a letter Tuesday to the chief executives of Visa, MasterCard, American Express and Discover.

Like Simitian, Feinstein believes that notification is "vital to affording individuals the ability to protect their identity and their credit," she wrote. Feinstein has introduced a bill in the U.S. Senate that would require that consumers be notified of certain types of security breach.

Retailers may have more to lose than consumers by the lack of notification. If a fraudster makes purchases on an individual's card, then

CONTINUED:
Page 1 | 2

11 comments

Join the conversation!
Add your comment
Card companies should be forced to notify merchants, too!
Card companies are notorious for forcing requirements and responsibilities on others. They want to pawn off all responsibility for fraud on merchants and consumers, never acknowledging that their practices are major contributors to fraud: granting credit accounts without proper screening, failure to safeguard accounts, and failure to properly inform merchants about compromised cards and other information in their posession which indicate that fraud is taking place.

One of the industry's latest irresponsible initiatives is the pushing of "cash back" cards, and an attempt to charge merchants an extra fee when these cards are used...while hiding the nature of the card from the merchant and prohibiting him from passing the fee on to the consumer. This is a recipe for enlisting the least responsible card holders: those who would use these cards to pay expenses of others in order to collect the "cash back" for themselves. This encourages buisiness fraud and tax fraud, too.

While I generally oppose government stepping in where private enterprise can fix the problem, the card processing industry currently operates like a cartel. Therefore, if it does not take immediate steps to reform itself, government must step in and force it to do so.
Posted by landlines (54 comments )
Reply Link Flag
PRivate Enterprise will not fix the problem
> While I generally oppose government stepping in where
> private enterprise can fix the problem

It is way past time that the government step in. The financial industry is one that SHOULD be regulated.

Does it please you to know that your financial (and medical) records are moved to various entities around the world on a daily basis without your consent or knowledge? Does it please you to know that a clerk in India or China has access to all your records, and that the government is doing nothing to stop it? Will it please you when your information is given to criminals in India or China or Russia or some other far off land where you will have NO recourse to get your affairs back in order once your identity is stolen, your bank accounts drained, and charges racked up that you never made?

It's time for people to wake up. This laisez-faire attitude towards business has gone too far.
Posted by (274 comments )
Link Flag
EDI Secure LLLP sold out to IDPixie LLC
EDI Secure LLLP sold out to IDPixie LLC


A year ago, January 2006, EDI Secure LLLP was purchased by IDPixie LLC which owns the patent US 6,598,031 B1 granted on July 22, 2003 for APPARATUS AND METHOD FOR ROUTING ENCRYPTED TRANSACTION CARD IDENTIFYING DATA THROUGH A PUBLIC TELEPHONE NETWORK from inventor Jeffrey Ice. So to update EDI Secure LLLP's place in the marketplace, I add the above and below data.

My Pledge

I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
Posted by Abdul Tawala Ibn Ali Ali (53 comments )
Link Flag
Card Makers Need To Rethink Candor...
Mr. AT Alishtari remembers an old joke where a doctor says I got bad news and worse news. The bad news is you got 24 hours to live and the worse news is I have been looking for you for 23 hours. When it comes to scams, scamming, fraud, phishing, pharming, robot attacks, zombies, trojans, online offshore investment attacks and full fledged cyber war by geekfathers and cyber crews the news is dire.

The problem is the consumer needs to know the worse of it so that immediate measures can be taken to ameliorate the problem. Yes two factor authentification with an offline device holds the best possibility of a solution but nowhere is a platform built using EDI Secure LLLP's US patent so card companies will have to license it and use stop-gap measures until the market can be secured.

That is better news than lets just let Western cash be devaluated by cyber crews from theft paid by insurance however the market must grow up. The secrecy and confidentiality of the past is past. What is left is candor that will establish who will grow from those who must shrink.
Posted by (66 comments )
Reply Link Flag
Due to market consolidation, I agree to above and add the below for notice.
A year ago, January 2006, EDI Secure LLLP was purchased by IDPixie LLC which owns the patent US 6,598,031 B1 granted on July 22, 2003 for APPARATUS AND METHOD FOR ROUTING ENCRYPTED TRANSACTION CARD IDENTIFYING DATA THROUGH A PUBLIC TELEPHONE NETWORK from inventor Mr. Jeffrey Ice. So to update EDI Secure LLLP's place in the marketplace, I add the above and below data.

My Pledge

I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
Posted by Abdul Tawala Ibn Ali Ali (53 comments )
Link Flag
Government Will !!!
Asking the Credit Card Companies to regulate themselves is like asking a politician to stop "lying",it can't be done. But then the regulators are politicians.
Posted by (32 comments )
Reply Link Flag
Why Should Cardholder Pay ANYTHING!
So the card companies won't notify those who are affected, but if you are affected and you catch the fraud, it is going to cost you $50? What kind of extortion is this? It is MasterCards fault that THESE numbers got stolen, so the consumers affected should not have to pay one SINGLE penny in the event of fraud.

We need to contact our lawmakers and tell them enough. I want control of my information and I want those who violate that trust to pay.
Posted by (274 comments )
Reply Link Flag
One solution.
I figure that even if law makers create some kind of law for full disclosure the credit card companies will fight it in court. To help speed up the process I say everybody who has a card with Mastercard sues them in a class action lawsuit. I would also go as far as to make it manditory for any company that allows the theft of personal data to be held responsible and required to pay any damages that occur because of the theft, like identity theft or credit history being ruined because of fraud.

I would think that if you won it would put a lot of pressure on these companies to make sure your data is safe. I figure they will up fees, but given the amount of competition they may not.
Posted by System Tyrant (1453 comments )
Reply Link Flag
Automatic Cancellation Will Wreak Havoc
Imagine what kind of havoc will be done to folks who have their credit card accounts cancelled without notice. You're travelling on business or vacation and suddenly your transactions are declined. You can't pay for dinner, can't rent a hotel room, can't change your airline reservation, can't pay for a prescription at the pharmacy. As Karl Malden, the venerable Amex spokeman would say, "What will you do? What WILL you do?"

I'll tell you what you will do. You will cancel your cards BEFORE they are cancelled out from under you. You should control the timing, not the card companies.

Lastly, I foresee a lot of lawsuits down the road when people's cards are forcibly cancelled with no advanced warning and their lives are turned upside down. Actual and punative damages await the credit card cabal for shirking responsibility.
Posted by Stating (869 comments )
Reply Link Flag
Credit Data Security
If companies were fined $1000 for each account and each instance the account's data were compromised they'd find a sensible solution. And, YES, tell me, you'd better tell me, if you've allowed some one to commit fraud, up my average daily balance, increase my finance charge, possibly lower my credit rating, and STEAL MY IDENTITY!
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.