Over 40 million credit cards are at risk after a hack attack on the systems of US payment card data processor CardSystems Solutions Inc, it was revealed on Friday. MasterCard and Visa credit cards have been affected by the breach.
The breach, which was initially detected in late May and confirmed two weeks ago, has been kept quiet until now at the request of the FBI.
According to MasterCard, security vulnerabilities in the systems of Tucson-based CardSystems Solutions allowed a hacker to infiltrate the network and access cardholder data, potentially exposing more than 40 million cards of all brands to the risk of fraud.
Around 13.9 million of these are MasterCard-branded cards, and a reported 22 million Visa cards might also have been compromised. American Express and Discover cardholders are also thought to be affected.
MasterCard confirmed on Friday that it has notified its customer banks of specific card accounts that may have been compromised, so that they can take the appropriate measures to protect their cardholders.
MasterCard stressed that no highly sensitive information, such as social security numbers or dates of birth, is stored on MasterCard cards. Nor are MasterCard cardholders generally liable for fraudulent credit card use, so long as they advise the credit card company that the card has been compromised. The cost of meeting the fraudulent purchase generally falls on the merchant from whom the goods were purchased.
According to reports, 68,000 MasterCard cardholders have already found fraudulent charges on their accounts.
CardSystems Solutions has been given “a limited amount of time to demonstrate compliance with MasterCard security requirements”, said MasterCard, and the data processor has already taken steps to improve the security of its system.
“We understand and fully appreciate the seriousness of the situation,” CardSystems said in a statement on its web site. “Our customers and their customers are our lifeblood. We are sparing no effort to get to the bottom of this matter. Our goal is to cooperate fully with the FBI to complete the investigation and ensure that we do nothing that might compromise the investigation.”
The announcement follows in the wake of several other highly publicised consumer privacy breaches.
These include the loss of backup tapes containing the credit card information of 1.2 million federal workers by Bank of America, the loss of 145,000 customers' personal information to identity thieves at data broker ChoicePoint and most recently the loss of personal information relating to 3.9 million customers of a CitiGroup subsidiary, after computer tapes containing the data were lost in transit to a credit bureau.
According to Democratic Senator Charles Schumer:
"Hardly a week goes by without startling new examples of breaches of sensitive personal data reminding us how important it is to pass a comprehensive Identity theft prevention bill in Congress quickly. Consumers' personal and financial data has become the gold of the 21st century and we need to protect it accordingly."
Various proposals have already been put forward, including a bill by Democratic Senator Dianne Feinstein to force companies to notify consumers affected by security breaches and another by Democratic Senators Schumer and Bill Nelson to tighten up laws regulating data merchants and the sale and display of social security numbers.