Certainly, as numbers go, 68,000 is smaller than 13.9 million and 200,000 is less than 40 million. Unfortunately, that may be of little consolation when it comes to having your personal information stolen by a thief who is looking to commit some type of financial fraud with it. It’s a bit like telling the survivors of a shipwreck that only some of them might be eaten by sharks.
Mastercard has now stated that “only” 68,000 of its cardholders are at a higher risk of fraud from the huge data theft that was announced over the weekend. The indication from Mastercard, however, is that some level of fraud has already taken place with respect to some of the 13.9 million Mastercard customers who had their personal information compromised.
A massive security breach traced to a third-party processor of payment card data led MasterCard International Inc. to notify member banks that more than 40 million credit cards of all brands are now exposed to acts of fraud.
The stolen data includes names, banks and account numbers but not addresses or Social Security numbers according to a MasterCard spokesperson. Thus, the data could be used to steal funds but not identities. The 68,000 accounts are at risk because they were in a file found that had been “exported from the system.”
The breach occurred at Atlanta-based CardSystems Solutions Inc., which processes transactions on behalf of financial institutions and merchants. That company has now admitted that “only” about 200,000 of the 40 million accounts affected are in that higher risk category. CardSystems said yesterday that the compromised file contained data from other credit card companies in proportion to the volume of business it handles from each company. That would roughly be about 100,000 Visa accounts and some 30,000 others.
CardSystems acknowledged that the information belonging to those 200,000 cardholders should not have been retained in its data bank. Even though it was only holding the personal information for what it described as “informational purposes,” doing so would be in violation of the company’s agreements with MasterCard and other clients.
The personal information in question was supposed to be passed on to banks and not kept by CardSystems. Under rules established by Visa and MasterCard, processors are not permitted to retain cardholder information including names, account numbers, expiration dates and security codes after a transaction is completed. This policy was specifically intended to protect customers’ personal data.
Although CardSystems claims it is no longer keeping the information, it is far from clear as to why they were doing so in the first place since it was particularly sensitive in that it included cardholders’ security codes, a highly prized bonus for data thieves because it significantly increases the black-market value of the stolen information. In addition, the improperly retained data lost was reportedly not encrypted which would have rendered it useless to the thieves.
MasterCard has notified its customer banks of the specific accounts that may have been compromised so that they can initiate their own measures to protect their cardholders. Under federal law, credit card holders are liable for no more than $50 of unauthorized charges. Many card issuers including MasterCard often waive the $50.
It remains to be seen where the final blame for this occurrence will be placed and what penalties will be imposed. Lawmakers too will probably be studying this latest breach of information transfer security with an eye toward legislation that would make data transmission more secure.