UPDATED: In what is considered one of the largest security breaches, MasterCard International said
information on more than 40 million credit cards lay exposed at credit card
processor CardSystems Solutions.
Exposed data included holder names, banks and account numbers. No
Social Security numbers, birth dates or other personal information were stored
on the accounts.
Roughly 13.9 million cards were of the MasterCard brand, said MasterCard,
which pinpointed the breach at CardSystems, an Atlanta-based company that
processes transactions between financial services firms and merchants. Visa
and American Express also said data was exposed through CardSystems.
Mastercard spokesperson Jessica Antle said 68,000 Mastercard account numbers
were especially at risk because they were in a file found to have been
exported from CardSystems’ database.
Antle said Mastercard’s security team used a fraud monitoring system to get
a report from card-issuing banks, which showed abnormal usage patterns on
The exploit could have allowed a perpetrator to access cardholder data on
the CardSystems computer network. A security team then worked with
CardSystems to neutralize the vulnerabilities in the systems.
Visa and American Express also said data was exposed through CardSystems.
CardSystems said in a statement it alerted the FBI to the possibility of a security gaffe in May. The processing
company then installed new security gear to ensure all systems were secure
and solicited a third party to validate systems security.
“We understand and fully appreciate the seriousness of the situation. Our goal is to cooperate fully with the
FBI to complete the investigation and ensure that we do nothing that might
compromise the investigation.”
While CardSystems has attempted to boost its security, MasterCard said it is
giving the third-party processor a limited amount of time to comply with
MasterCard security requirements.
The Purchase, N.Y., credit card purveyor also notified its customer banks of
specific card accounts that may have been subject to compromise.
The company also reiterated its desire to have Congress to enact a wider
application of Gramm-Leach-Bliley act, which includes provisions to
protect consumers’ personal financial information held by financial
GLBA only applies to financial institutions that service consumers,
including MasterCard. MasterCard said it would like Congress to extend that
application to include any entity, such as third party processors like
CardSystems that store consumer financial information.
Such breaches are anything but new. The difference is that there have been
plenty of high-profile data exposure cases of late, throwing more light on
The Senate is considering legislation that would provide consumers with notice that their personal data may have been exposed. California’s similar law already mandates such notices.