CardSystems Settles Data Breach Charges
Page 1 of 1
A credit card processor settled charges with the Federal Trade Commission (FTC) Thursday over what the FTC characterizes as the largest known compromise of financial data to date.
Last June, CardSystems revealed it exposed personal information on more than 40 million credit cards after hackers cracked into the firm's computer system.
The FTC said CardSytems's lax security practices, taken together, constituted an unfair trade practice.
To settle the charges, CardSystems agreed to implement an information security program and to obtain audits from an independent third-party security professional every other year for 20 years.
"CardSystems kept information it had no reason to keep and then stored it in a way that put consumers' financial information at risk," FTC Chairman Deborah Platt Majoras said in a statement. "Any company that keeps sensitive information must take steps to ensure that the data is held in a secure manner."
There was no fine included in the settlement since the statute under which CardSystems was charged prohibits civil penalties.
In a similar case charged under a different law, data broker ChoicePoint paid a record $10 million fine for inadequately protecting consumer data.
CardSytems does, however, face potential financial liability under banking laws and private litigation for losses related to the breach.
According to the FTC, CardSystems, as a credit card processor, provided merchants with hardware and software used in obtaining approval for credit and debit card purchases from the banks that issued the cards.
CardSystems collected the personal information, including card numbers and expiration dates, from the magnetic strip on the cards. In 2005, CardSystems processed more than 210 million card purchases totaling more than $15 billion.
The company then stored the information on its own system where it eventually became exposed to data theft.
The FTC charged CardSystems with creating unnecessary risks to the information by storing it, including not using readily available security measures.