NEWS In what could be the largest data security breach to date, MasterCard International on Friday said information on more than 40 million credit cards may have been stolen.
Of those exposed accounts, about 13.9 million are for MasterCard-branded cards, the company said in a statement. Some 20 million Visa-branded cards may have been affected and the remaining accounts were other brands, including American Express and Discover.
MasterCard and Visa both say they have notified their member banks of the specific accounts involved so the banks can take action to protect cardholders.
James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, California, said: "In sheer numbers, this is probably one of the largest data security breaches."
The breach occurred at CardSystems Solutions in Tucson, Arizona, a third-party processor of payment data, according to a MasterCard statement. An intruder was able to use security vulnerabilities to infiltrate the CardSystems network and access the cardholder data, MasterCard said.
CardSystems is one of several companies that process transactions for banks and merchants. The security breach at the company was discovered using tools that monitor for credit card fraud, MasterCard said.
Though credit card numbers were compromised, the cards themselves do not hold social security numbers or dates of birth, MasterCard said. This information could be used for credit card fraud but not to steal identities.
A spokeswoman for credit card company Discover said the company is aware of the security breach and is working with law enforcement to investigate it. She noted that Discover Card holders would not be liable for any fraudulent transactions, should they occur.
Visa issued a statement saying it knows of the data security breach and is working with authorities and banks to monitor and prevent fraud. As with MasterCard and Discover, Visa noted that card users are not responsible for fraudulent transactions.
American Express could not immediately be reached for comment.
The credit card theft possibly occurred late last month, according to CardSystems. In a statement issued late on Friday, the company said that it identified a "potential security incident" on Sunday, 22 May and called in the FBI the next day. Visa and MasterCard were notified as well, CardSystems said.
Since the breach, CardSystems has undergone a security audit and is changing its security procedures as a result, it said.
The breach follows several high-profile data loss incidents that potentially exposed US consumers to identity theft. Last week, CitiFinancial said tapes containing unencrypted information on 3.9 million customers were lost by the United Parcel Service while in transit to a credit bureau. CitiFinancial is the consumer finance subsidiary of Citigroup.
In past months, data leaks have been reported by Bank of America and Wachovia, data brokers ChoicePoint and LexisNexis, and the University of California at Berkeley and Stanford University.
Joris Evers writes for CNET News.com
Comments
There are 5 comments. Join the discussion
1. anonymous
It would be helpful if this article told us whether UK card holders were affected.
2. Lionel A Smith
I am often suspicious about 'lost in transits' having grounds for suspecting that security services on both sides of the Atlantic intercept packages for their own pourposes.
For example the manuscript of a recently published book by investigative historians was unaccountably delayed in the post on its way to the publisher.
Whatever, the big lesson from this is that if those responsible for sensitive data cannot safeguard its privacy then plans for a UK Subject (not citizen as yet) ID card should be more carefully considered.
3. anonymous
Assurances given at websites does not match up to reality when it comes to the use of credit cards or banking information online. Access to information is becoming an epidemic. Why should anyone believe their account identity and funds are secure? I watched with shock and awe recently when a national correspondent gave two men in California her name and in less than 15 minutes they told her everything about her self including, SS#, account #, city of transaction, how much money was used in the transaction, exact address of bank involved, down to exact date and time of the transaction. That blog on the TV scared the living daylights out of most of us who want to trust electronic transfer of financial information. Not any more will I believe it! Neither should anyone else who does not want to get their identity stolen or their accounts ripped off! An epidemic of theft is rampant in our world targeting those who have access to credit card records and health records we have been told were secure. Assurances are being called into question and rightly so. Maybe keeping our funds and health records under our mattresses is about as safe as our institutions, based upon current breaking news!
4. NRL
Since the “year-dot” human beings have exploited one another for personal gain. This could be represented by the high street mugger, the con artist or the theft of valuable data and information. Technology and the use of it is just another vehicle that can be used for the purpose of exploitation and eventual theft.
Why is it that we are constantly surprised when a thief has identified an exploit and taken advantage of it? Is it because we naively believe that organisations have the technical ability and the inclination to safeguard valuable data and information?
Here is a radical thought; let’s get back to the basics and start thinking security – of people, objects and information. If that were to happen perhaps consideration would be given to such things as transporting backup tapes, use of crypto, checking employee credentials, maintaining employee motivation and morale – some people call this process a “defence in depth.”
Locking down an organisation’s ICT is only one element in the process of security.
5. anonymous
How do I know if someone had been able to get into my account to get my information? I have an account with Emerge master card and I was checking something online and came accross this article.