Credit card breach exposes 40 million accounts

In what could be the largest data security breach to date, MasterCard International on Friday said information on more than 40 million credit cards may have been stolen.

Of those exposed accounts, about 13.9 million are for MasterCard-branded cards, the company said in a statement. Some 20 million Visa-branded cards may have been affected and the remaining accounts were other brands, including American Express and Discover.

MasterCard and Visa both say they have notified their member banks of the specific accounts involved so the banks can take action to protect cardholders.

"In sheer numbers, this is probably one of the largest data security breaches," said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, Calif.

News.context

What's new:
In what could be the largest data security breach in the world to date, information on 40 million credit card accounts might have been stolen.

Bottom line:
The massive breach follows several high-profile data loss incidents that potentially exposed American consumers to identity theft. The incident also comes as the public expresses increasing concern over identity theft.

More stories on data security breaches

The breach occurred at CardSystems Solutions in Tucson, Ariz., a third-party processor of payment data, according to a MasterCard statement. An intruder was able to use security vulnerabilities to infiltrate the CardSystems network and access the cardholder data, MasterCard said.

CardSystems is one of several companies that process transactions for banks and merchants. The security breach at the company was discovered using tools that monitor for credit card fraud, MasterCard said.

Though credit card numbers were compromised, the cards themselves do not hold social security numbers or dates of birth, MasterCard said. This information could be used for credit card fraud, but not to steal identities.

Leslie Sutton, a spokeswoman for credit card company Discover, said the company is aware of the security breach and is working with law enforcement to investigate it. She noted that Discover Card holders would not be liable for any fraudulent transactions, should they occur.

Visa issued a statement saying it knows of the data security breach and is working with authorities and banks to monitor and prevent fraud. As with MasterCard and Discover, Visa noted that card users are not responsible for fraudulent transactions.

American Express could not immediately be reached for comment.

The credit card theft possibly occurred late last month, according to CardSystems. In a statement issued late Friday, the company said that it identified a "potential security incident" on Sunday, May 22 and called in the FBI the next day. Visa and MasterCard were notified as well, CardSystems said.

Since the breach, CardSystems has undergone a security audit and is changing its security procedures as a result, it said.

Tide of leaks
The breach follows several high-profile data loss incidents that potentially exposed American consumers to identity theft. Last week, CitiFinancial said tapes containing unencrypted information on 3.9 million customers were lost by the United Parcel Service while in transit to a credit bureau. CitiFinancial is the consumer finance subsidiary of Citigroup.

In past months, data leaks have been reported by Bank of America and Wachovia, data brokers ChoicePoint and LexisNexis, and the University of California at Berkeley and Stanford University.

Two recent surveys have highlighted growing worries about data protection. On Wednesday, the Cyber Security Industry Alliance reported that 97 percent of the American voters it polled said identity theft was a problem that needs addressing, and 64 percent wanted the government to do more to protect computer security.

In addition, a study commissioned by Adobe Systems and RSA Security found that eight out of 10 "senior-level professionals" in Washington, D.C., thought that lawmakers weren't doing enough to keep consumer data safe.

In the United States, MasterCard cardholders are protected against unauthorized transactions on their accounts. If cardholders believe their cards were used fraudulently, they should contact their bank, MasterCard said.

Credit card holders should monitor their accounts online for fraud, Javelin Strategy & Research's Van Dyke advised. "For identity fraud, the individual cardholder is most likely the first who will discover it," he said.

MasterCard is working with banks, CardSystems and law enforcement agencies on the security break-in.

CardSystems has taken steps to improve the security of its system, MasterCard said. Still, the credit card company has given the data processor an undisclosed deadline to demonstrate that its systems are now secure, it said.

Credit cards will go away without security

Mr Van **** lands the responsibility of "discovering fraud" on the cardholders. I beleive that we agree to put our money in their reserves with the understanding that they will protect our information. People will stop using credit cards all togehther soon without better protection.

This is ridiculous: schools, parents , politicians, town governments, etc. are all held to immense standards and these guys can only respond -- that we should be more responsible to check our own info on line,

AND WHAT ABOUT THOSE WHO HAVE CREDIT WITHOUT ACCESS TO THE INTERNET!!! THere are still a few hundred million of those folks,

These guys know how to protect our info, they just don't want to lose the income from selling our names,

Betsy Fowler

[bob blob]

don't exaggerate

there are still a few hundred million people with credit but no access to the internet? umm. the population of the US is like 300 million. you're saying everyone has credit without internet access? for free internet access, check your local public library. pshaw.

[Timmins]

Bigger Than they are reporting

Notice they have not mentioned how much money is involved.
This will rate as one of the largest one yet.

I sugeest EVERYONE check there card balance today.

I did and was totally shocked

Tim

[bob blob]

haha

sounds like an infomercial.

"try it. i did, and i was totally shocked."

by what? you forgot to pay off your remaining balance? that porn site you signed onto disregarded your 14-day cancellation and charged you?

[ordaj]

Knuckleheads. There needs to be...

...liability and criminal penalties. These knuckleheads will do nothing if it costs *them* money. So, the penalties have to cost them money. Lots of it.

[bob blob]

actually

they are taking liability for any fraudulent transactions that occur due to this incident. which means no cost to you, they'll pay for it. read the article again.

[Stating]

BastardCard

"Master The Criminal Possibilties!"

[Stating]

Time To Get A Swiss Credit Card

Seems like it's time to dump our American credit institution based cards in favor of the Swiss. They know something about security and privacy. If it's good enough for strong arm dictators' private accounts, like Yassar Arafat ($1 billion) it's good enough for me.

[Jonathan]

Yah and where are you going to use it?

If it ain't the big four....nowhere. Online sites don?t take anything else. Retail shops will laugh you out of their establishment, restaurants will have you washing dishes in the back to pay off your tab. If it isn?t Visa, AmerEx, Discover, or MC you have a very unique piece of plastic in your hands and that?s about it.

[Chrono13]

They're running Microsoft IIS

http://toolbar.netcraft.com/netblock?q=UU-63-83-95,63.83.95.0,63.83.95.255

Seems to be that it was a Microsoft System.

Mastercard themselves find that Solaris / Apache is a better (more secure) solution, and do not use Microsoft:

http://toolbar.netcraft.com/site_report?url=http://mastercard.com

So how many other credit card companies have our info laying around in IIS in third party systems?

uhhhh...

Sorry fella, but that's a webserver. I doubt they're storing customer data on a webserver or allowing access to it through the webserver.

No offense but I hope you're not in charge of my data.

[City_Of_LA]

Idiots

Should start then off with something easier to watch, eg. a pencil or teabag. I'm pretty much abandoning all my credit cards now. Until their laughable "networks" stop leaking info, they won't have me as a customer ever again.

[bob blob]

good luck

this wasn't a "leak." someone hacked into their network.

hey, if you don't want to use credit cards ever again, good luck going back to carrying assloads of cash and checks. and waiting 2 weeks for anything you buy online. you'll have to wait until your check clears after you snail-mail it to the retailer before your purchase is shipped.

What they don't tell you

What none of the articles related to this breech are telling you is that the real victims in these situations are the on line merchants who accept orders on these card accounts. And remember, the accounts won't be closed unless and until fraudulent activity is reported by the cardholders.

According to an LA Times report this morning, there have already been 70,000 fruadulent transactions on these hacked numbers, and this will continue for a long time. In every case, the cardholder will notify their card issuer and the merchant will receive a chargeback for the entire amount plus a fee up to $40.

Tom Mahoney, Director
merchant911.org

[Timmins]

What they aren't saying

From I'm able to determine is the merchant never got the money or even processed the transaction.
So the question is who got the money?
No real goods changed hands.

Tim

[directorblue]

Another scary aspect...

Reportedly, this theft had been occurring for several months until it was finally detected in May. The implications are pretty devastating: how many institutions and companies are already compromised by organized crime... but haven't detected it?

http://directorblue.blogspot.com/2005/06/cardsystems-missing-40-million-records.html

[Albertv]

You get what you pay fore

Did anyone notice "a third-party processor of payment data,? How much you want to bet they (the credit card companies) went with the lowest bitter and security was not the major issue for the third party getting to service the account. Price of the service was the 'only' standard used by the ?first party?.

Rather than blaming the software, we should be laying the responsibility at the feet of the outsourcing services and there pay master (the credit card companies). If an third party in outer Mongolia can do it for less it will be done there and data security will not be a deciding feature of the service contract.

[Mister C]

Any Ideas?

First off, does anybody real have the real skinny on just what software they were running?

Second, any idea who pulled this off? Mafia, Russian, Asian, crime organizations?
This sure doesn't sound like the work of script kiddies.

[jamie.p.walsh]

While we sit here and B!TCH

Problems like this go on every day without any HARD action taken by our government. They are content to let legislation to "help" resolve this bubble up in 12-24 months from now, and even then, it's a band-aid on an amputated leg.

MAKE THIS AN ISSUE. STOP CHATTING ABOUT IT AND FORCE THE GOVERNMENT'S HAND.

http://www.house.gov/writerep/

Tell Them It Needs to get done TODAY!!!

[Jonathan]

Awww isn't that cute....

someone who actually thinks writing a letter, or 10 letters, or 100, or 1000, or 100,000 would make a diff. Clue to those who haven't figured it out yet: IND that make the US an *** load of money have the gov in their pocket. Look at MS as an example.

[jtpickering]

A friendly lesson

Nice rant. Not much else there, but nice rant.

You say that politicians do nothing but legislate. Hmmm. Since that is pretty much the definition of their jobs, it seems that you are complaining that THEY ARE DOING THEIR JOBS! Further, you complain that they provide a period of time for companies to learn about laws and to become compliant. Friend, you need to learn a lot about democracy, capitalism, and credit cards. To facilitate your education, here is a very small bit of information on these topics.

The PCI (Payment Card Industry) DSS (Data Security Standards) were developed years ago by the major credit card associations (Amex, Visa, MasterCard, DiscoverCard, et.al.). The deadline (selected by the associations) for compliance was 7/1/2005. Very few merchants are compliant for a variety of reasons. There are fines (up to $500K per incident and $50k per month until compliant) and consequences (from increased fees to inability to accept credit cards) for those that are not progressing appropriately. This is a fine example of a self-correcting capitalistic policy. You should also know that the credit card associations have already indicated that they mean business (e.g. CardSystems).

Do you really want more government involvement in banking? If you thought credit card interest rates were not high enough or ATM fees were not high enough or that savings rates were not low enough, ask the government to create another federal agency. The banks will all need to pass that new cost of doing business along to someone.

Five US Senate bills have been introduced this year (2005) that may have some bearing on this issue. Seven US House bills have been introduced, one of which has been sent to the Senate already. Most (if not all) of these bills propose a fine (civil and/or criminal) or a new federal agency. This does not include any legislation at the state level.

The UK already has the Data Protection Act in place.

Bill said it best (http://news.com.com/5208-1029-0.html?forumID=1&threadID=7443&messageID=51166&start=-173) ?You live in a capitalist world. Learn how it works. It's your responsibility!?

[dscottmc]

Credit Card Breach->more to come!

Stole the credit card numbers! Ripped of a few hundred million bucks! IT CAN BE STOPPED!! The technology started 8 years ago and is anticipated to be demonstrable within 60 days from now. Do we care? Hey, folks, this does not "mitigate" the "breach" or "fraud" problem, it ELIMINATES it! WHY don't we have it? "Not invented here," ego, bureaucracy and stupidity. Probably after another few trillion or so lost MAYBE Chuck and the troops at CitiBank will say, "OK, what do we do?" Dunno. Stuck with the human mentality. Yea, I said "done."

[jimrocco]

When a major breach like this happens, the credit card companies responsible should be required by law to pick up the bill for the customers who become victims. I have friends who work these cases, and it is my understanding that this case could be the biggest breach in US history. The card companies are trying to hide the facts of this case by saying the FBI is investigating the case and they cannot talk about it, but what is really happening is they don't want the customers to know someine in the company opened the door for the bad guys to obtain all the customer information. The suspects are using the cards in Texas, Florida, California and Mexico. The damage from this breach is going to be massive. WATCH YOUR ACCOUNTS, OR BETTER YET, CONTACT YOUR BANK AND ASK FOR YOUR CARD TO BE REISSUED.

[JaylinU]

One of the most successful financial services outside of the banks and credit card companies (who can afford to lobby, we might mention) is under fire from legislative bodies these days. It's Washington DC that might be setting their sights on payday loan lenders next. Part of Obama's economic plan is to get a rate cap in place on all lending, and keep it at 36%, which makes payday lending untenable. Accusations of predatory lending are only backed up by anecdotal evidence, whereas the empirical (which means legitimate) evidence stacks up on the side of the <a href="http://personalmoneystore.com/moneyblog/2009/02/04/obama-payday-loan/">payday loan</a> lenders providing a needed service.