, SecurityFocus 2005-06-17
Data thieves breached the systems of credit-card processor CardSystems Solutions and made off with data on as many as 40 million accounts affecting various credit-card brands, MasterCard International said on Friday.
The credit-card giant's anti-fraud systems detected the breach and, after analyzing the data, MasterCard pinpointed the Atlanta, Georgia-based third-party processor as responsible, the company said in a statement released late Friday.
"Working with all parties, including issuing banks, acquiring banks, the processor and law enforcement, MasterCard immediately launched an investigation into the breach, and worked with CardSystems to remediate the security vulnerabilities in the processor's systems," the statement said. "These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data."
The breach is the largest data leak to date, potentially affecting one out of every seven credit cards issued in the U.S., according to MasterCard estimates.
The credit-card giant verified that information on at least 68,000 MasterCard accounts was taken from CardSystems' database by "running a script," said spokeswoman Jessica Antle. MasterCard declined to release more information on the vulnerabilities for fear it would impact the ongoing investigation, she said.
According to CardSystems, the company first identified the "potential security incident" on May 22 and notified the FBI as well as Visa and MasterCard. The company hired a security company to check its systems and took additional measures to hardened the systems, the company said in a statement released late Friday.
"We understand and fully appreciate the seriousness of the situation," the company said in a statement. "Our customers and their customers are our lifeblood. We are sparing no effort to get to the bottom of this matter."
CardSystems processes more than $15 billion annually in credit-card transactions on behalf of more than 105,000 small to medium businesses, according to the company's site.
The breach potentially exposed 40 million cards of various brands. As many as 13.9 million MasterCard-branded credit cards may have been affected, the company stated. MasterCard notified its member banks of the specific card accounts affected.
Highly sensitive data--such as social security numbers or birth dates--are not kept on the cards and are not at risk, the company said. MasterCard stressed that consumers have zero liability for unauthorized transactions and asked that consumers report suspicious transactions to the card's issuing bank.
"You can't have your identity stolen with this information," MasterCard's Antle said.
Visa did not immediately comment on the theft, but was preparing a statement. The U.S. Secret Service is not investigating the breach, a spokesperson said. The FBI could not immediately be reached for comment.
The breach is the latest incident to put consumer financial data at risk. In April, investment firm Amertrade announced that backup tapes containing details of nearly 200,000 account holders had been lost in transit. Citigroup and Bank of America lost backup tapes with the data of nearly 3.9 million and 1.2 million account holders, respectively. And data-collection firm Choicepoint gave information on nearly 150,000 U.S. citizens to criminal groups posing as legitimate businesses.
Until companies start feeling consumers' pain when these breaches happen, such data leaks will likely continue, said Mitchell Ashley, chief technology officer for network security company StillSecure.
"Until there are sufficient penalties, down to holding an individual or the boardroom accountable, companies are going to do the minimum possible," he said.
In its statement, MasterCard urged Congress to widen the application of current regulations, such as the Gramm-Leach-Bliley Act, which holds financial institutions accountable for consumer information, but only for consumer-service providers, not business-service providers.
"MasterCard urges Congress to extend that application to also include any entity, such as third-party processors, that stores consumer financial information, regardless of whether or not they interact directly with consumers," the company said in the statement.
MasterCard has given CardSystems a limited amount of time to meet the credit-card giant's standards for security, the company said in the statement. The vulnerabilities that led to the current breach have been fixed, MasterCard said.