Jump to content

Biggest Identity theft breach yet!


Recommended Posts

Biggest Identity theft breach yet!

Cardsystems in an office in Arizona seems to have exposed 40 millions credit card account to identity theft with 68,000 at very high risk.

Huge credit card data theft found, Mercury News, 18 June 05


By Eric Dash and Tom Zeller Jr.

New York Times

"MasterCard International reported Friday that more than 40 million credit-card accounts of all brands may have been exposed to fraud through a computer security breach at a payment-processing company, perhaps the single largest case of stolen consumer data to date.

MasterCard said its analysts and law enforcement officials had identified a pattern of fraudulent charges that were traced to an intrusion at CardSystems Solutions of Tucson, Ariz., which processes more than $15 billion in payments for small to mid-size merchants and financial institutions each year.

About 13.9 million MasterCard accounts were compromised as well as those of unspecified numbers of Visa, American Express and Discover customers. The accounts affected included credit cards and certain kinds of debit cards.

The FBI said it was investigating.

Sharon Gamsin, a MasterCard spokeswoman, said an infiltrator had managed to place a computer code or script on the CardSystems network that made it possible to extract information. She would not elaborate on how long the breach might have lasted, when the investigation began or whether any infiltrators had been identified. She did say that the breach had occurred sometime this year.

Deborah McCarley, a spokeswoman for the FBI field office in Phoenix, said her agency was trying to establish the scope of the breach and that ``the investigation is just beginning.''

CardSystems said Friday that it identified a potential security problem May 22 or 23 and contacted the FBI, then the Visa and MasterCard associations. It said steps were taken immediately to ensure all systems were secure. ``Our goal is to cooperate fully with the FBI,'' it said.

According to MasterCard, an unauthorized person was able to exploit the security vulnerability and gain access to CardSystems' network, exposing cardholders' names, account numbers and expiration dates as well as the security code, typically three or four digits also printed on the credit card.

``The processing companies are hubs for millions of payment records,'' said Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center, a digital rights group based in Washington. ``It is the juiciest target for an individual who wants account numbers. It is a honey pot for identity thieves.''

He suggested that customers monitor their bills for unauthorized charges and consider asking their credit-card issuers for new account numbers.

MasterCard said other personal data that might be subject identity theft, such as Social Security numbers and dates of birth, was not stored on its cards and therefore not at risk. And it said credit-card holders would not be liable for any fraudulent charges to their accounts.

Visa and American Express also had statements on their Web sites Friday that customers wouldn't have to pay for fraudulent charges.

MasterCard said specific advice to cardholders as to precautions or recourse would have to come from the banks issuing the cards.

Officials at major credit-card issuers, like Citigroup and JPMorgan Chase, said they had been notified of the breach only recently -- in some cases as late as Friday -- and were still assessing the scope of the problem. Janis Tarter, a spokeswoman for Citigroup's credit-card division, said her company would notify customers likely to be at risk and more closely monitor any accounts that might have been affected. A Chase card spokesman said his company was taking similar steps.

MasterCard said the investigation began when it was notified by several banks that they had detected atypical levels of fraudulent charges. In turn, MasterCard began monitoring information from those accounts for common purchasing points. Using complex data-analysis systems and the assistance of an outside forensics firm, it was able to home in on an unspecified bank receiving spending data from merchants.

``When we started to dig into it, working with the bank and working with their systems, we detected it couldn't be them and basically triangulated at the process and arrived at CardSystems Solutions,'' said John Brady, MasterCard's head of merchant risk services.

Although 40 million credit-card accounts were said to have been put at risk, it is not clear whether data on all of those accounts was actually obtained."


Stolen MasterCard "High Risk" Accounts Total Estimated At 68,000 (Out of 40M), XML Journal, 19 June 05

"When MasterCard's forensic people went in to investigate the security breach that affected nearly 14M MasterCard accounts this week, they were able right away to find a file that with 100% certainty had 68,000 account numbers exported from its system. These accounts are considered "especially at risk."

In what might amount to one of the largest data heists ever, MasterCard believes up to 40 million cardholders of such credit card brands as MasterCard, American Express and others have been jeopardized in a massive theft at third party credit card processor, CardSystems Solutions Inc.

The breach compromised account holder names, banks and account numbers.

The MasterCard disclosure adds fuel to a growing uproar among privacy rights experts and government regulators who fear that Americans are increasingly threatened by identity theft and other privacy violations due to sloppy or inadequate data privacy and data security practices."


40 Million Credit Card Holders Facing Possible Identity Theft, ABC 18 June 05

"(Upper West Side-WABC, June 18, 2005) — It is the latest in a string of security breaches and possibly the biggest financial one ever. More than 40 million credit card accounts exposed to fraud. The breach affecting American Express, Visa, and for the most part, Mastercard.

As New Yorkers show for those Father's Day gifts they might have that security breach in the back of their minds. It is massive and troubling for some consumers who might not know that someone else is using their credit card information until they get their statement next month.

It's a horrible thing.

Eyewitness News' Jeff Pegues: "You use Mastercard?"

Credit Card Holder: "As a matter of fact I do."

Today New Yorkers are wondering if their credit card security has been compromised.

Credit Card Holder: "It's in the hands of the credit card companies and the government to keep it safe."

Forty million credit card users may have been exposed to fraud. Their credit card number, expiration date and the security code on the back of their cards, essentially swiped in a hacker-like attack on a company called Card System Solutions. It s a company that processes the transactions millions of Americans rack up with plastic every day.

Bill Reeves, Card Systems Solutions: "On Sunday, May 22nd we became aware of a security incident within the Card Systems. On Monday May 23 we immediately contacted the FBI."

Until the FBI Gets to the bottom of it, there are things concerned credit card users should know. Under federal law they are liable for no more than $50 50 of unauthorized charges and some card issuers offer zero liability to customers unauthorized use of the card.

But ultimately some say with so much personal information floating around in computers, there is no way to be 100% protected.

There is no place where consumers can be sure that personal information that they provide is safe.

In all, any brand of credit cards could be affected by something like this, but here is something that might put your mind at ease. The data that was compromised does not include addresses or social security numbers."


Link to comment
Share on other sites

This topic is now closed to further replies.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.. For more information, please see our Privacy Policy and Terms of Use.