Mastercard Security Breach Affects 40 Million Cards

17 Jun ’05

Mastercard is reporting a breach of security that at first instance seems breathtaking in its scope:

MasterCard International reported late this afternoon that more than 40 million credit card accounts of all brands, including 13.9 million MasterCards, may have been exposed to fraud through a security breach at a third-party payment processing company.

MasterCard said in a statement that its analysts and law enforcement officials identified a security hole at CardSystems Solutions, a company based in Tucson, Ariz., that processes more than $15 billion in Visa, MasterCard, American Express, Discover, online debit and electronic transfer transactions a year for small to midsize merchants and financial institutions.

An unauthorized person, MasterCard said, had been able to exploit this security vulnerability and gain access to CardSystems’ network, exposing the credit card accounts of millions of customers.

MasterCard said Social Security numbers, dates of birth and other sensitive information that might contribute to identity theft are not stored on its cards, although the credit card accounts accessed could be vulnerable to fraudulent charges.

Update: The NYT is on the story and has more information about what happened:

A MasterCard spokeswoman, Sharon Gamsin, said an infiltrator had managed to place a computer code or script on the CardSystems network that made it possible to extract information. She would not elaborate on how long the breach might have lasted, on when the inquiry began or on whether any infiltrators had been identified. She did say that the breach occurred this year.

Deborah McCarley, a spokeswoman for the F.B.I. field office in Phoenix, said that her agency was trying to establish the scope of the breach and that “the investigation is just beginning.”

MasterCard said its investigation found that CardSystems, in violation of MasterCard’s rules, was storing cardholders’ account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the bank handling the merchants’ transactions but not retained by CardSystems.

{ 3 comments… read them below or add one }

Tad McIlwraith June 18, 2005 at 10:43

Thanks Rob … I feel a whole lot better ! At least your answer is satisfactory, thorough, and well thought …

Reply

Rob Hyndman June 18, 2005 at 07:34

Well, I think two things are happening. First, a new California law that requires notification of unintended disclosure (with many others like it about to be made into law) is publicizing what has been going on for years. Second, the scope and complexity of data aggregation has dramatically increased in recent years, leaving us far more vulnerable to these kinds of security issues.

Those who collect and aggregate data have been able to “live in the shadows” for a long time and have gotten by doing less than they should. That’s ending now – the series of almost nightmarish disclosures we’ve seen recently has dramatically focussed attention on the issue and I think the industry is going to shape up fast. And so too will many other businesses who store data. The consequences of not doing enough – particularly adverse publicity – are becoming too serious to ignore.

I think we’ll see a trickle down or meat-in-the-sandwich effect start to occur – at one end, the credit card companies need to limit cardholder liability in order to maintain the viability of the entire system. At the other, merchants are exposed to losses when fraudsters use credit card info to steal goods and services. In between, underneath of the credit card companies, anyone who manages data and exposes it to risk is going to start get sued for the consequences. BJ’s is an example:

http://www.robhyndman.com/2005/06/17/bjs-settles-data-breach-case-with-ftc/

They are getting sued by merchants who lost goods and services because of the data breach. Merchants will start to lose patience with a system that lets the banks and card issuers off the hook and they will start to press them to set higher standards and police them more aggressively. And with the U.S. Congress getting involved in this (this issue is good politics) that will likely happen faster rather than sooner.

But in any event, at the end of the day, there are fundamental problems with the way information technology systems manage security, and this will be a problem for a long time. I’ve really enjoyed reading Bruce Schneier’s books about security for background info on this – particularly “Secrets and Lies”.

I think there is very little the individual can do. Other than restrict use of your card. But in this case, the breach was at a processor – so anyone who used their card at any merchant was potentially at risk. So, no easy answer.

Reply

Tad McIlwraith June 18, 2005 at 00:04

What’s the answer here, Rob? Is it simply that the security software is shoddy and that the security technology needs to catch up with the consumer-driven technology, if you get my meaning? Do you advocate the end of credit and debit card use?

I see you frequent posts about these breaches, but I really don’t know how to use the information to help myself. Can I? It seems so out of my hands.

Reply

Leave a Comment

Previous post:

Next post: