Security Breach Exposes 40 Million Credit Cards

MasterCard yesterday warned of a security breach at Tuscon, AZ-based CardSystems that dwarfs recent reports of financial data loss. The company is reporting that information on up to 40 million credit cards may have been exposed at the third-party credit card payment processor, 13.9 million of those belonging to MasterCard customers.

CardSystems processes over "$15 billion in Visa, MasterCard, American Express, Discover, on-line debit and EBT transactions annually", according to the company's website.

The breach was discovered, in part, by fraud protection mechanisms employed by MasterCard, according to a statement. The companies then traced the problem to vulnerabilities within CardSystems' network, which allowed an unauthorized person to gain access to card-holder data. In a differing account, CardSystems does not make mention of MasterCard's involvement, but says that the breach occurred on May 22, 2005. On the following day, the company contacted the FBI.

According to the payment processor's spokesman Bill Reeves, the company then contacted VISA and MasterCard. CardSystems has since enlisted the help of a third-party security firm to validate their systems.

The CardSytems statement appears below:

CardSystems Solutions, Inc., identified a potential security incident on Sunday, May 22nd. On Monday, May 23rd, CardSystems contacted the Federal Bureau of Investigation. Subsequently, the VISA and MasterCard Card Associations were notified to alert them of a possible security incident. CardSystems immediately began a remediation process to ensure all systems were secure. Additionally, CardSystems immediately engaged an independent 3rd party to validate systems security.

Since that time, concurrent to the investigation proceedings, CardSystems is completing the installation of enhanced/additional security procedures recommended by the security assessor involved in the investigation.

We understand and fully appreciate the seriousness of the situation. Our customers and their customers are our lifeblood. We are sparing no effort to get to the bottom of this matter. Our goal is to cooperate fully with the FBI to complete the investigation and ensure that we do nothing that might compromise the investigation.

The credit-card giant's anti-fraud systems detected the breach and, after analyzing the data, MasterCard pinpointed the Atlanta, Georgia-based third-party processor as responsible, the company said in a statement released late Friday.

"Working with all parties, including issuing banks, acquiring banks, the processor and law enforcement, MasterCard immediately launched an investigation into the breach, and worked with CardSystems to remediate the security vulnerabilities in the processor's systems," the statement said. "These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data."

The breach is the largest data leak to date, potentially affecting one out of every seven credit cards issued in the U.S., according to MasterCard estimates.

The credit-card giant verified that information on at least 68,000 MasterCard accounts was taken from CardSystems' database by "running a script," said spokeswoman Jessica Antle. MasterCard declined to release more information on the vulnerabilities for fear it would impact the ongoing investigation, she said.

According to CardSystems, the company first identified the "potential security incident" on May 22 and notified the FBI as well as Visa and MasterCard. The company hired a security company to check its systems and took additional measures to hardened the systems, the company said in a statement released late Friday.

"We understand and fully appreciate the seriousness of the situation," the company said in a statement. "Our customers and their customers are our lifeblood. We are sparing no effort to get to the bottom of this matter."

CardSystems processes more than $15 billion annually in credit-card transactions on behalf of more than 105,000 small to medium businesses, according to the company's site.

The breach potentially exposed 40 million cards of various brands. As many as 13.9 million MasterCard-branded credit cards may have been affected, the company stated. MasterCard notified its member banks of the specific card accounts affected.

Highly sensitive data--such as social security numbers or birth dates--are not kept on the cards and are not at risk, the company said. MasterCard stressed that consumers have zero liability for unauthorized transactions and asked that consumers report suspicious transactions to the card's issuing bank.

"You can't have your identity stolen with this information," MasterCard's Antle said.

Visa did not immediately comment on the theft, but was preparing a statement. The U.S. Secret Service is not investigating the breach, a spokesperson said. The FBI could not immediately be reached for comment.

The breach is the latest incident to put consumer financial data at risk. In April, investment firm Amertrade announced that backup tapes containing details of nearly 200,000 account holders had been lost in transit. Citigroup and Bank of America lost backup tapes with the data of nearly 3.9 million and 1.2 million account holders, respectively. And data-collection firm Choicepoint gave information on nearly 150,000 U.S. citizens to criminal groups posing as legitimate businesses.

Until companies start feeling consumers' pain when these breaches happen, such data leaks will likely continue, said Mitchell Ashley, chief technology officer for network security company StillSecure.

"Until there are sufficient penalties, down to holding an individual or the boardroom accountable, companies are going to do the minimum possible," he said.

In its statement, MasterCard urged Congress to widen the application of current regulations, such as the Gramm-Leach-Bliley Act, which holds financial institutions accountable for consumer information, but only for consumer-service providers, not business-service providers.

"MasterCard urges Congress to extend that application to also include any entity, such as third-party processors, that stores consumer financial information, regardless of whether or not they interact directly with consumers," the company said in the statement.

MasterCard has given CardSystems a limited amount of time to meet the credit-card giant's standards for security, the company said in the statement. The vulnerabilities that led to the current breach have been fixed, MasterCard said.