Security Breach Could Expose 40 Million Card Holders to Fraud
By JOE BEL BRUNO, Associated Press Writer
A security breach of customer information at a credit card transaction
company could expose to fraud up to 40 million cardholders of multiple
brands, MasterCard International Inc. said Friday.
The credit card giant said its security division detected multiple
instances of fraud that tracked back to CardSystems Solutions Inc.,
which processes credit card and other payments for banks and
merchants.
The compromised data included names, banks and account numbers - not
addresses or Social Security numbers, said MasterCard spokeswoman
Sharon Gamsin. Such data could be used to steal funds but not
identities.
It was the latest in a series of security breaches affecting valuable
consumer data at major financial institutions and data brokers in an
increasingly database-driven world.
The breach appears to be the largest yet involving financial data,
said David Sobel, general counsel at the Electronic Privacy
Information Center.
"The steady stream of these disclosures shows the pressing need for
regulation of the industry both in terms of limitation in the amount
of personal information that companies collect and also liability when
these kinds of disclosures occur," Sobel said.
A flurry of disclosures of breaches affecting high-profile companies
including Citigroup Inc., Bank of America Corp. and DSW Shoe Warehouse
has prompted federal lawmakers to draw up legislation designed to
better protect consumer privacy.
CardSystems was hit by a virus-like computer script that captured
customer data for the purpose of fraud, Gamsin said. She said she did
not know how the script got into the system. The FBI was
investigating.
MasterCard, which said about 14 million of its own cards were exposed,
first announced the breach in a news release late Friday afternoon,
saying it was notifying its card-issuing banks of the problem.
Under federal law, credit card holders are liable for no more than $50
of unauthorized charges, and many card issuers including MasterCard
will even waive the $50.
Reached on his cell phone, CardSystems' chief financial officer,
Michael A. Brady, said: "We were absolutely blindsided by a press
release by the association."
He refused to answer any questions and referred calls to the company's
chief executive, John M. Perry, and its senior vice president of
marketing, Bill N. Reeves. A message left for Perry and Reeves at the
company's Atlanta offices was not immediately returned.
CardSystems processes less than 0.5 percent of American Express'
domestic transactions, said company spokeswoman Judy Tenzer. She said
a small number of its cardholders were affected, though she did not
have an exact figure.
"We are aware of the situation, we're closely monitoring it and we do
have an investigation under way," Tenzer said.
Discover Financial Services Inc. said it was aware of the situation
and would not say whether any of its cards were involved. Visa USA and
a large issuer of cards, MBNA Corp., did not immediately calls seeking
comment.
CardSystems, which has a processing center in Tuscon, Ariz., has been
in business for more than 15 years and handles transactions for more
than 115,000 small to mid-sized businesses, according to the company's
Web site. The company says it processes transactions worth more than
$15 billion annually.
Sobel said the fact that the latest breach involved a third party
"indicates that this is a shadowy industry where the consumer never
really knows who is going to be handling and using their personal
information," he added. "Presumably, the affected consumers thought
they were dealing with MasterCard."
Earlier this month, Citigroup said United Parcel Service lost computer
tapes with sensitive information from 3.9 million customers of
CitiFinancial, a unit that provides personal and home loans.
There have also been breaches involving other kinds of sensitive data.
ChoicePoint Inc. said in February that thieves using stolen identities
had created 50 dummy businesses that pulled data including names,
addresses and Social Security numbers on as many as 145,000 people.
In March, LexisNexis Inc. disclosed that hackers had commandeered a
database and gained access to the personal files of as many as 32,000
people.
The company has since increased its estimate of the people affected to
310,000. Information accessed included names, addresses and Social
Security and driver's license numbers, but not credit history, medical
records or financial information, corporate parent Reed Elsevier Group
PLC said in a statement.
"Hardly a week goes by without startling new examples of breaches of
sensitive personal data, reminding us how important it is to pass a
comprehensive identity theft prevention bill in Congress quickly,"
said Sen. Charles Schumer (news, bio, voting record), D-N.Y.
AP writers Anick Jesdanun, Adam Geller, Harry Weber, Ted Bridis, Arthur
Rotstein and Marcy Gordon contributed to this report.
Copyright 2005 The Associated Press.
[TELECOM Digest Editor's Note: My thanks to Lisa for rounding up this
item. So what do we do now? Discontinue any/all shopping on the
web where Card Systems is the processor? What information _is_ safe
to give over the net any longer? Any at all? PAT]
Lisa Minter (lisa_minter2001@yahoo.com)