More than 40 million credit cards are potentially at risk in the largest security breach to come to light so far. MasterCard International Inc. has started notifying member banks of about 13.9 million accounts involved in the latest incident, which involved a card-processing operation in Tucson, Arizona.
In a statement, MasterCard said the breach was traced to CardSystems Solutions Inc., a third-party processor of payment card data. It said the compromised data included names, banks and account numbers -- not addresses or Social Security numbers -- and said such data could be used to steal funds but not identities.
Consumers should watch their statements carefully and promptly reported any unauthorized charges to their card issuer. Under federal law, credit card holders are liable for no more than $50 of unauthorized charges, and many card issuers will waive the $50 in circumstances such as these.
"Consumers have strong protection if unauthorized charges are made on their MasterCard cards," MasterCard said. "In the U.S., MasterCard cardholders are protected by MasterCard's Zero Liability policy for unauthorized transactions on their accounts. If MasterCard cardholders have any reason to believe that their cards were used fraudulently, they should contact their issuing bank."
MasterCard said it has begun notifying its member banks of specific card accounts that may be vulnerable, so that those banks can take steps to prevent against fraud.
Visa USA did not immediately comment on the situation. American Express said that less than 0.5% of its domestic transactions are handled by CardSystems. Discover said it was "aware of" the situation but did not say whether any of its cardholders were affected.
"Single Individual" Blamed
MasterCard blames a single individual for the massive security breach. "(V)ulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data," MasterCard said.
The company said the perpetrator used "a virus-like computer script that captured customer data" but would not elaborate further. The FBI said it was investigating.
CardSystems officials said they first noticed a potential security breach on May 22 and contacted the FBI a day later. Visa, MasterCard, and other companies were notified as CardSystems brought in third-party security experts to review their systems.
"We understand and fully appreciate the seriousness of the situation," CardSystems said in a statement. "Our customers and their customers are our lifeblood. We are sparing no effort to get to the bottom of this."
It's the latest in an embarrassing series of security breaches involving both consumer identity data. It appears to be the largest yet involving financial data, said David Sobel, general counsel at the Electronic Privacy Information Center.
"The steady stream of these disclosures shows the pressing need for regulation of the industry both in terms of limitation in the amount of personal information that companies collect and also liability when these kinds of disclosures occur," Sobel told the Wall Street Journal.
Congressional Action Urged
MasterCard urged Congress to enact wider application of Gramm-Leach-Bliley, the act that includes provisions to protect consumers' personal financial information held by financial institutions.
"Currently, GLBA only applies to financial institutions providing services to consumers, including MasterCard. MasterCard urges Congress to extend that application to also include any entity, such as third party processors, that stores consumer financial information, regardless of whether or not they interact directly with consumers," MasterCard said.
Sen. Charles Schumer (D-NY) said the incident is a reminder that Congress needs to move quickly to help consumers, who can face years of credit problems once their digital identities are stolen.
"Consumers personal and financial data has become the gold of the 21st century and we need to protect it accordingly," said Schumer, who has co-authored a bill that would require companies to take additional steps to curb data theft. The bill would also create standards for companies handling sensitive personal data.