By Andy McCue, 28 April 2006 18:25
NEWS
A UK-based online retailer has been identified as the source of a security breach that has resulted in thousands of MasterCard and Visa holders having their credit cards cancelled this week.
At least 4,000 UK MasterCard holders are believed to have now been affected by the breach which occurred after hackers gained access to credit card details via the as-yet-unnamed e-tailer.
It was initially believed 2,000 credit card details had been stolen after silicon.com exclusively revealed that MasterCard advised card issuers to shut down the accounts of the cardholders affected and issue new cards after discovering the breach.
But a MasterCard holder whose card was stopped as a result of the security breach told silicon.com today that his card issuer, Goldfish, part of Morgan Stanley, said more than 4,000 people have been affected.
The Clydesdale Bank and Morgan Stanley itself are two other MasterCard card issuers that have been proactively calling customers whose details have been compromised by the breach over the past week.
MasterCard said it is unable to name the retailer or release any more details about the incident because of the sensitivities of the ongoing investigation but stressed that MasterCard's own systems were not breached.
A statement issued by the company said: "MasterCard International is aware of a potential security breach at a UK-based retailer. But because this is an ongoing investigation, we cannot disclose specific details regarding the incident or comment, other than to say that we are co-operating and we have notified the banks that issue MasterCard cards to monitor for any suspicious account activity and take the necessary steps to protect cardholders."
Visa also said it notified the issuing banks of the affected cardholders as soon as the security breach was discovered.
A spokesman for Visa Europe said: "Visa Europe can confirm that it is aware of a suspected data compromise involving a UK-based online merchant. A full investigation is continuing and Visa is working closely with all appropriate organisations to resolve this issue as a matter of urgency."
Comments
There are 13 comments. Join the discussion
1. anonymous
There are far more than 4000 cards affected. The 4000 figure related to Goldfish mastercards, as Goldfish represents a tiny proportion of cards issued the scale of the hack must be massive.
2. anonymous
It is not acceptable for the name of the retailer to be kept secret. The public have a right to know.
3. Goose
why on earth would a retailer store credit cards in plain text, surely if they are to store such information they would use one way encryption.
This retailer needs to be named and shamed.
4. DB
PCI:DSS need I say more
5. Iain
If this happened in USA the retailer would be exposed and hit with hefty PR and financial costs.
Not much point in having Data Protection laws if they only generate a slap on the wrist.
6. Stuart Horner
I fully agree that the retailer should be named - if only to protect future users of their site. I will be reviewing my use of internet retailers in the future.
7. AC
As one of those 4,000 affected I believe that if there is no doubt as to where the data originated then we should be made aware of that fact.
8. anonymous
....surely Mastercard will be imposing a hefty fine as clearly this retailer was not PCI compliant?
I cannot understand why this retailer should remain anon when this affects so many thousands?
9. Lionel A Smith
It could be that the reason why the e-tailer has not been named is because it is a big fat white shark rather than a little fish. Perhaps we should start a list of probables.
Now on the subject of Identity Card data security ...?
10. galley slave#41
Whatever the outcome of this investigation the cardholders will pay
and pay and pay.
11. Mike
The retailer's Mastercard and Visa accounts should be suspended for 6 months as a penalty, theby effectively stopping them from internet trading. When other retailers see the penalty, they will be more careful!
12. anonymous
...and does the issuer pull out any stops to re-issue cards promptly?
Does it ****!
I now find myself without a card for 10-14 days!
...yet if I had been careless an lost my card abroad, it seems they could've got me a replacement in 24hrs.
13. Mark Hosey
I can't see any good reason at all why any retailer should retain any card information once a sale has gone through and a batch number has been issued for the transaction. Why do they and Why are they allowed to?
M Hosey