Mastercard is reporting a breach of security that at first instance seems breathtaking in its scope:
MasterCard International reported late this afternoon that more than 40 million credit card accounts of all brands, including 13.9 million MasterCards, may have been exposed to fraud through a security breach at a third-party payment processing company.
MasterCard said in a statement that its analysts and law enforcement officials identified a security hole at CardSystems Solutions, a company based in Tucson, Ariz., that processes more than $15 billion in Visa, MasterCard, American Express, Discover, online debit and electronic transfer transactions a year for small to midsize merchants and financial institutions.
An unauthorized person, MasterCard said, had been able to exploit this security vulnerability and gain access to CardSystems’ network, exposing the credit card accounts of millions of customers.
MasterCard said Social Security numbers, dates of birth and other sensitive information that might contribute to identity theft are not stored on its cards, although the credit card accounts accessed could be vulnerable to fraudulent charges.
Update: The NYT is on the story and has more information about what happened:
A MasterCard spokeswoman, Sharon Gamsin, said an infiltrator had managed to place a computer code or script on the CardSystems network that made it possible to extract information. She would not elaborate on how long the breach might have lasted, on when the inquiry began or on whether any infiltrators had been identified. She did say that the breach occurred this year.
Deborah McCarley, a spokeswoman for the F.B.I. field office in Phoenix, said that her agency was trying to establish the scope of the breach and that “the investigation is just beginning.”
MasterCard said its investigation found that CardSystems, in violation of MasterCard’s rules, was storing cardholders’ account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the bank handling the merchants’ transactions but not retained by CardSystems.