More details emerged Monday on the cybersecurity breach at a payment processing company that exposed more than 40 million credit-card accounts to fraud.
The data security breach, possibly the largest to date, happened because intruders were able to exploit software security vulnerabilities to install a rogue program on the network of CardSystems Solutions, MasterCard International spokeswoman Jessica Antle said. The program captured credit card data, she said.
The malicious code was discovered after a probe into the security of CardSystems' network. That investigation, by security experts from Cybertrust, was triggered by a MasterCard inquiry into atypical reports of fraud by several banks. The trail led to CardSystems, Antle said.
The probe also found that the Atlanta-based payment processor did not meet MasterCard's security regulations. CardSystems held onto records that it should have discarded, and it stored transaction data in unencrypted form, Antle said.
MasterCard declined to disclose more information on the breach, citing an ongoing investigation by the FBI. CardSystems did not respond to email messages and phone calls seeking comment. A Cybertrust representative declined to comment on the case.
Online discussion boards, meanwhile, are abuzz about which vulnerable software CardSystems may have been running. The data processor's Web site runs on Microsoft's Windows 2000 operating system and IIS Server 5.0, which has fueled speculation that its other set-ups may also be Microsoft-based.
Into the breach
CardSystems said in a statement on Friday that it had identified a "potential security incident" on Sunday, 22 May, and called in the FBI the next day. Visa and MasterCard were also contacted, the company said. MasterCard went public with the CardSystems' breach on Friday after it had identified all the affected accounts, Antle said.
More than 40 million credit card accounts were exposed by the breach. About 22 million of those are Visa cards and 13.9 million are MasterCard, the companies have said. The remaining accounts were linked to other brands, including American Express and Discover.
While millions of accounts were potentially accessed by the attackers, the investigation into the theft has found that records covering about 200,000 cards were transferred outside the CardSystems network, Antle said. Of those records, 68,000 are for MasterCards, she said.
The thieves got access to names, account numbers and verification codes that could be used to commit fraud. However, the information did not include social security numbers, addresses or birth dates, which would be needed for identity theft.
CardSystems is one of many companies that process electronic payments. The company handles more than $15bn (£8.2bn) in card transactions annually for more than 105,000 small and medium-sized businesses, according to its Web site.
All the major credit card companies protect their customers against unauthorised transactions on their accounts. Fraudulent transactions are typically reversed. Cardholders should monitor their accounts online and contact the credit card company or card-issuing bank when fraud is suspected, experts said.
Staying mum
MBNA, one of the largest US credit card issuers, said it has received information from CardSystems about exposed customer accounts. The company won't contact the individuals affected, but is keeping a close eye on the compromised accounts, said Jim Donahue, an MBNA spokesman. In a case of fraud, an account would be closed and a new card issued, he said.
American Express is still deciding whether to contact its customers. Christine Elliott, a company spokeswoman, said accounts were exposed, but she did not disclose how many. In a case of fraud, she said that American Express would bear the financial burden, assuming the merchant has followed all standard card acceptance procedures.
MBNA would also not disclose how many of its customer accounts were compromised.
The CardSystems breach follows several high-profile data loss incidents that potentially exposed American consumers to identity theft. Two weeks ago, CitiFinancial said tapes containing unencrypted information on 3.9 million customers were lost by UPS while in transit to a credit bureau. CitiFinancial is the consumer finance subsidiary of Citigroup.
In past months, data leaks have been reported by Bank of America and Wachovia, data brokers ChoicePoint and LexisNexis, and the University of California at Berkeley and Stanford University.
Two recent surveys have highlighted growing worries about data protection. Last Wednesday, the Cyber Security Industry Alliance reported that 97 percent of the American voters it polled said identity theft was a problem that needs addressing, and 64 percent wanted the government to do more to protect computer security.
In addition, a study commissioned by Adobe and RSA Security found that eight out of 10 "senior-level professionals" in Washington DC thought that lawmakers weren't doing enough to keep consumer data safe.
Talkback
An absolute disgrace. I have worked for a PSP which was forced to comply with Visa AIS regulations, which specifies encryption levels for capturing and storing card data. The fact that a major processor has been allowed to continue without being audited is a complete sham.
The PSP should be heavily fined, and the card issuers should also be fined for not forcing appropriate levels of security to be maintained.
In my experience of dealing with them, the card companies form the biggest obstacle to card security, as regarldess of fraud they still get their money, normally from the vendor, removing any incentive for improvement.