RealTime IT News

Hack Results in Action by Credit Card Firms

In the wake of the CDuniverse break-in, which resulted in the theft of as many as 300,000 credit card numbers and other customer information by a Russian cracker using the nickname Maxus, two credit card companies have re-issued cards to all cardholders who have shopped at CDuniverse.

Kathy Edwards, a spokesperson for Discover Financial Services, confirmed that about 10,000 accounts were affected. The affected cards have been canceled and credit card holders have been issued replacements. An American Express spokesperson, Molly Faust, declined to reveal the number of card holders involved in its recall. Visa and Mastercard issue cards through banks and other partners and have not initiated similar recalls, although partners could take that action.

To prevent misuse of the existing cards during the period when the new cards are enroute to holders, the company said it has implemented unspecified fraud detection features. Discover cardholders, however, will be without use of their accounts until they receive their new plastic, according to the company. Both card issuers are offering expedited delivery of the new cards using express mail services.

Last Friday, CDuniverse sent e-mails to its customers notifying them about the security breech and suggesting they monitor their cards for any suspicious activity, but the company did not recommend that customers cancel their credit cards.

The stolen credit cards were posted to a Web site on Dec. 25th, and according to a counter at the site more than 25,000 were downloaded by visitors before it was taken offline January 9th. Maxus claimed in an email to InternetNews to have notified CDuniverse about the stolen data over a month ago, and said he posted the cards only after the company failed to pay him $100,000 in ransom.

CDuniverse officials have declined to provide specifics about when they first learned about the stolen data.

Anita Boomstein, an e-commerce attorney with Hughes Hubbard & Reed in New York, said that if CDuniverse was slow to notify customers about the break-in, it will bear the cost of any fraudulent card use.

"The issuers can't charge the consumers for any unauthorized charges -- they will charge them back and debit CDuniverse's merchant account. So to the extent that they didn't act reasonably in the way they handled it, CDuniverse will ultimately bear the penalty for it," said Boomstein.