A massive security breach traced to a third-party processor of payment card data has led MasterCard International Inc. to begin notifying member banks that more than 40 million credit cards of all brands are now potentially exposed to acts of fraud. About 13.9 MasterCard-branded cards are affected.
The stolen data includes names, banks and account numbers but not addresses or Social Security numbers according to a MasterCard spokesperson. Thus, the data could be used to steal funds but not identities.
The breach occurred at Atlanta-based CardSystems Solutions Inc., which processes transactions on behalf of financial institutions and merchants. Vulnerabilities in CardSystems’ software security allowed an unauthorized party to infiltrate their network by way of a computer virus and capture the cardholder data.
MasterCard has notified its customer banks of the specific accounts that may have been compromised so that they can initiate their own measures to protect their cardholders. Under federal law, credit card holders are liable for no more than $50 of unauthorized charges. Many card issuers including MasterCard often waive the $50.
While MasterCard and most other reputable credit card companies, financial institutions, and data aggregators stress their commitment to protecting their customers’ personal information, 2005 has amply demonstrated that more than good intentions are needed to stop these major security breaches and lapses.
As we have reported on several occasions, today’s identity thieves are no longer satisfied with one victim at a time. The new approach to identity theft is to steal as many identities as possible at the same time. It is for this reason that organizational software and databases are now targeted.
Even before this latest debacle, 2005 had seen several high-profile database thefts or losses that already put millions of people at risk for identity theft. Whether the information was stolen directly, bought from a dishonest employee, or lost through the negligence of the organization itself, inadequate security practices were at the heart of the each loss.
These ongoing security lapses are leading lawmakers to push for tighter rules for U.S. data aggregators. David Sobel, general counsel at the Electronic Privacy Information Center, sated:
“The steady stream of these disclosures shows the pressing need for regulation of the industry both in terms of limitation in the amount of personal information that companies collect and also liability when these kinds of disclosures occur.”
The following is a brief recap of the prior high-profile security breaches in 2005 which already put almost 6 million individuals at risk for some form of identity theft.
June 16: The Federal Deposit Insurance Corporation (FDIC) began warning some 6,000 current and former employees that their sensitive personal information (names, birth dates, Social Security numbers, and salary information) had been breached. Although no specific details of the incident were released, it was reported that an unspecified number of those employees have already been the victims of fraud as a result of the breach.
June 6: Financial giant Citigroup announced that United Parcel Service had “misplaced” a box of computer tapes containing personal data on approximately 3.9 million Citigroup customers. Citigroup released a statement that it would soon start to send data electronically in an encrypted form.
March: A security breach at LexisNexis, an information broker database containing addresses, driver’s licenses, and Social Security numbers- allowed outsiders to access personal data files of as many as 310,000 people.
Just prior to the LexisNexis breach, there was a security breach at ChoicePoint Inc., a company which sells access to personal databases. A con artist was able to call the company and gain access to the personal data of thousands of people. Information on nearly 145,000 people nationwide was no longer protected and authorities said that 750 people were defrauded.
April: British financial giant HSBC PLC notified at least 180,000 people of a scam involving General Motors-branded MasterCards. Apparently, when these cards were used to make purchases at Polo Ralph Lauren, criminals obtained access to their credit-card information.
February: Bank of America reported that a small number of backup tapes containing records of the personal financial information of government employees were lost in a shipment to their backup center.
April: Time Warner Inc. reported that a container of computer tapes containing information on 600,000 current and former employees was lost during a truck ride to a data storage facility. Foul play has not been ruled out.
March: An eBay scam set up by “phishers” used a coin collector’s eBay account to sell about $780,000 worth of coins, many of which never existed. Fees for the fraudulent action had been financed with $300 from the coin collector’s personal PayPal account. His eBay identity was stolen and while the victim was able to change his credit card numbers, he has yet to recover some of the online fees charged by the phishers to his account as well as the $7,500 worth of merchandise that he had purchased but the phishers has shipped to a different address in order to steal them.
April: A former Blockbuster Video store employee was indicted on charges of stealing customers’ identities and then using them to buy more than $117,000 in trips, electronics, and even a new Mercedes-Benz. The former employee was able to steal credit card numbers, Social Security numbers, and other private information from 65 customers in 2003 using the store’s online database. He was then able to open up new retail store and credit card accounts and make outlandish purchases.
April: Administrators at the University of California, Berkeley, disclosed that a computer laptop containing the names and Social Security numbers of nearly 100,000 people had been stolen.
April: Northwestern University reported that hackers broke into the computers at the Kellogg School of Management and potentially gained access to information on more than 21,000 students, faculty, and alumni.
April 2005: A man in Hackensack, New Jersey, was accused of conducting a massive scheme to steal 500,000 bank accounts and personal information and sell it to bill collectors. His accomplices included branch managers and employees from some of New Jersey’s biggest banks, including Bank of America, Wachovia, and Commerce Bank. All are accused of selling bank account numbers and balance information for $10 per customer. In some cases, the bank employees printed out entire customer computer screens and turned them over to the ringleader.
Certainly, it is only a matter of time before companies and financial institutions that are negligent in the handling and storage of sensitive personal information suffer catastrophic losses as a result of the ever-increasing volume of lost or stolen information. If history teaches us anything, it is that operating losses are eventually passed on to consumers. In this situation, such a result would be terribly unfair since customers would be paying for a loss of their own data over which they had no control.