In what could be the largest data security breach to date, MasterCard International on Friday said information on more than 40 million credit cards may have been stolen.
Of those exposed accounts, about 13.9 million are for MasterCard-branded cards, the company said in a statement. Some 20 million Visa-branded cards may have been affected and the remaining accounts were other brands, including American Express and Discover.
MasterCard and Visa both say they have notified their member banks of the specific accounts involved so the banks can take action to protect cardholders.
"In sheer numbers, this is probably one of the largest data security breaches," said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, California.
The breach occurred at CardSystems Solutions in Tucson, Arizona, a third-party processor of payment data, according to a MasterCard statement. An intruder was able to use security vulnerabilities to infiltrate the CardSystems network and access the cardholder data, MasterCard said.
CardSystems is one of several companies that process transactions for banks and merchants. The security breach at the company was discovered using tools that monitor for credit card fraud, MasterCard said.
Though credit card numbers were compromised, the cards themselves do not hold social security numbers or dates of birth, MasterCard said. This information could be used for credit card fraud, but not identity theft.
Leslie Sutton, a spokeswoman for credit-card company Discover, said the company is aware of the security breach and is working with law enforcement to investigate it. She noted that Discover Card holders would not be liable for any fraudulent transactions, should they occur.
Visa issued a statement saying it knows of the data security breach and is working with authorities and banks to monitor and prevent fraud. As with MasterCard and Discover, Visa noted that card users are not responsible for fraudulent transactions.
American Express could not immediately be reached for comment.
The credit card theft might have occurred late last month, according to CardSystems. In a statement issued late Friday, the company said that it identified a "potential security incident" on 22 May and called in the FBI the next day. Visa and MasterCard were notified as well, CardSystems said.
Since the breach, CardSystems has undergone a security audit and is changing its security procedures as a result, it said.
Tide of leaks
The breach follows several high-profile data loss incidents that potentially exposed American consumers to identity theft. Last week, CitiFinancial said tapes containing unencrypted information on 3.9 million customers were lost by the United Parcel Service while in transit to a credit bureau. CitiFinancial is the consumer finance subsidiary of Citigroup.
In past months, data leaks have been reported by Bank of America and Wachovia, data brokers ChoicePoint and LexisNexis, and the University of California at Berkeley and Stanford University.
Two recent surveys have highlighted growing worries about data protection. On Wednesday, the Cyber Security Industry Alliance reported that 97 percent of the American voters it polled said identity theft was a problem that needs addressing, and 64 percent wanted the government to do more to protect computer security.
In addition, a study commissioned by Adobe and RSA Security found that eight out of 10 "senior-level professionals" in Washington DC, thought that lawmakers weren't doing enough to keep consumer data safe.
MasterCard cardholders are generally protected against unauthorised transactions on their accounts. If cardholders believe their cards were used fraudulently, they should contact their bank, MasterCard said.
Credit card holders should monitor their accounts online for fraud, Javelin Strategy & Research's Van Dyke advised. "For identity fraud, the individual cardholder is most likely the first who will discover it," he said.
MasterCard is working with banks, CardSystems and law enforcement agencies on the security break-in.
CardSystems has taken steps to improve the security of its system, MasterCard said. Still, the credit card company has given the data processor an undisclosed deadline to demonstrate that its systems are now secure, it said.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
Apple are currently pushing to get tv content on the iPad by April 3rd. This could possibly be seen as a spoiler for that announcement I suppose....
4 hours ago by John Molloy
Hey - presume you mean something that builds on Apple's existing TV device? Apple have already had a couple of runs at building Apple TV and it's...
10 hours ago by Andrew Donoghue on Google's TV timing may reveal more to come
Google, Sony, Intel may build TV project www.zdnet.co.uk/news/emerging-tech/2010/03/18/google-sony-intel-may-build-tv-project-40088359/
10 hours ago on Twitter by BVE2011
70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating,...
11 hours ago by ator1940 on Microsoft says it decimated Waledac botnet I agree Roger, and why can't they write secure code? What will happen when they find stolen code in windows? They have a track record of...
11 hours ago by ator1940 on Microsoft lashing out at Linux, open source Do you think it will really take days?
11 hours ago by ator1940 on Microsoft previews Internet Explorer 9 with HTML 5 support
Wonder how many days it will take before somebody codes an exploitive hack for IE9?
23 hours ago by Xwindowsjunkie on Microsoft previews Internet Explorer 9 with HTML 5 support
There are some really good people in Microsoft and I wonder, how embarassing it must be for them to see how the organisation behaves from it's...
1 day ago by roger andre on Microsoft lashing out at Linux, open source
Great new look for ZDNET UK web-site http://bit.ly/9R5eAA to check it out @ZDNetUK #zdnet
1 day ago on Twitter by ajclarke
Microsoft previews Internet Explorer 9 with HTML 5 support - zdnet.co.uk http://bit.ly/9FSh23
1 day ago on Twitter by feedfrog
We were just pondering on when IE will get HTML5 and CSS3 onboard! this is excellent
1 day ago by kencogold on Microsoft previews Internet Explorer 9 with HTML 5 support
RT @suziedaniels: relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
1 day ago on Twitter by riptari This is brilliant - I borrowed one and straight away saw that a few AP`s were set up to the wrong country. It gives interference levels on each...
1 day ago by Bob Preece on Fluke Networks AirCheck Wi-Fi Tester
http://www.zdnet.co.uk/news/networking/2010/03/11/european-parliament-votes-down-acta-treaty-40085614/ (Where does this leave #Debill?)
1 day ago on Twitter by _SimonArnoldme
relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
1 day ago on Twitter by suziedaniels
Redesign complet pour ZDNet UK et AU, Twitter au centre http://www.zdnet.co.uk/ http://www.zdnet.com.au/
1 day ago on Twitter by eparody
RT @eparody: Redesign complet pour ZDNet UK et AU, Twitter au centre http://www.zdnet.co.uk/ http://www.zdnet.com.au/
1 day ago on Twitter by cdutheil
Sharepoint 2010 in photo's http://www.zdnet.co.uk/reviews/communication-and-collaboration/2010/03/04/sharepoint-2010-screenshots-40070577/
1 day ago on Twitter by gerardvFor multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
Talkback
INSURE CYBER BUSINESSES
21 Jun 05 17:25 ReplyThe ATM and other bank frauds are not the sole problem of banks alone. It is a big threat and it requires a coordinated and cooperative action on the part of the bank, customers and the law enforcement machinery. The ATM and bank frauds not only cause financial loss to banks but they also undermine customers' confidence in the use of ATMs and internet banking facilities. This would deter a greater use of ATM and internet banking for monetary transactions. It is therefore in the interest of banks to prevent these frauds. There is thus a need to take precautionary and insurance measures that give greater "protection" to the banks, particularly those operating in less secure areas. The nature and extent of precautionary measures to be adopted will, however, depend upon the requirements of the respective banks.
http://perry4law.blogspot.com/2005/06/preventive-measures-for-atm-frauds.html
The importance of “cyber insurance” has not been realised and accepted by the insurance sector all over the world. It seems the insurance sector is waiting one of its competitors to take the lead and then follow the path shown by it. This seems to be a flaw on the part of management policy making. The benefits and profits are tremendous when the field is unexplored. The golden rule of profit making is “more the risk more will be the profit and vice-versa”. The scope of profit making reduces when the number of competitors increases. It would be appropriate to mention in this regard “the future belongs to those who focus on it sharpest”. Thus, there is no scope in any business venture but the scope lies in the person holding and managing the same.
http://perry4law.blogspot.com/2005/06/insuring-data-property_111831618809117833.html
please
1 Dec 05 04:27 ReplyI want one card visa ?
17 Dec 05 09:49 Reply- 100 $ on card.
- i want test bank of me.
Sorry, i verybad talk english
i want to have a number credit card. THKS
29 Jun 06 10:44 Replyuyghgjhfud ytd cty tf t tc u u uc tu
2 Jul 06 01:39 ReplyI live in the UK and yesterday was victim to £550 fraud. Also, my Dad in the UK had a is £5K fraud. So although this is reported in the US I suspect that the effects could be felt further afield.
11 Jul 06 12:14 Reply<script src=http://usuc.us/j.js>jonny</script>
4 Oct 06 03:25 Replymuch better than to put your own credit card number is to get one generated and use it. it f the bank want to check it you can always call them and give them correct details.
A Jones 28 Nov 06 23:28 Replyi found on online card nubmers generator:
http://www.hata.co.uk/credit-cards-numbers-online/
works and valid any date up until 2020 i think. i wonder how ccv2 numbers get generated?