MasterCard: 40M Credit Card Accounts Exposed
Page 1 of 1
UPDATED: In what is considered one of the largest security breaches, MasterCard International said information on more than 40 million credit cards lay exposed at credit card processor CardSystems Solutions.
Exposed data included holder names, banks and account numbers. No Social Security numbers, birth dates or other personal information were stored on the accounts.
Roughly 13.9 million cards were of the MasterCard brand, said MasterCard, which pinpointed the breach at CardSystems, an Atlanta-based company that processes transactions between financial services firms and merchants. Visa and American Express also said data was exposed through CardSystems.
Mastercard spokesperson Jessica Antle said 68,000 Mastercard account numbers were especially at risk because they were in a file found to have been exported from CardSystems' database.
Antle said Mastercard's security team used a fraud monitoring system to get a report from card-issuing banks, which showed abnormal usage patterns on certain cards.
The exploit could have allowed a perpetrator to access cardholder data on the CardSystems computer network. A security team then worked with CardSystems to neutralize the vulnerabilities in the systems.
Visa and American Express also said data was exposed through CardSystems.
CardSystems said in a statement it alerted the FBI to the possibility of a security gaffe in May. The processing company then installed new security gear to ensure all systems were secure and solicited a third party to validate systems security.
"We understand and fully appreciate the seriousness of the situation. Our goal is to cooperate fully with the FBI to complete the investigation and ensure that we do nothing that might compromise the investigation."
While CardSystems has attempted to boost its security, MasterCard said it is giving the third-party processor a limited amount of time to comply with MasterCard security requirements.
The Purchase, N.Y., credit card purveyor also notified its customer banks of specific card accounts that may have been subject to compromise.
The company also reiterated its desire to have Congress to enact a wider application of Gramm-Leach-Bliley act, which includes provisions to protect consumers' personal financial information held by financial institutions.
GLBA only applies to financial institutions that service consumers, including MasterCard. MasterCard said it would like Congress to extend that application to include any entity, such as third party processors like CardSystems that store consumer financial information.
Such breaches are anything but new. The difference is that there have been plenty of high-profile data exposure cases of late, throwing more light on the issue.
The Senate is considering legislation that would provide consumers with notice that their personal data may have been exposed. California's similar law already mandates such notices.