SAVE   |   EMAIL   |   PRINT   |   RSS  
40M credit cards hacked
Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards.
July 27, 2005: 6:16 PM EDT
By Jeanne Sahadi, CNN/Money senior writer
Video More video
CNN's Allan Chernoff reports on a security breach at a third-party payment processor that is impacting millions of credit card users. (June 20)
Play video

NEW YORK (CNN/Money) - Over 40 million card accounts were exposed to potential fraud due to a security breach that occurred at a third-party processor of payment card transactions, MasterCard International said last Friday.

"It looks like a hacker gained access to CardSystems' database and installed a script that acts like a virus, searching out certain types of card transaction data," said MasterCard spokeswoman Jessica Antle.

Of the cards involved, 13.9 million were MasterCard-branded cards, which include Maestro and Cirrus, and 22 million were Visa cards, said Visa spokeswoman Rhonda Bentz.

The breach took place at the Tucson office of CardSystems Solutions, a company that processes transactions on behalf of merchants and financial institutions.

As of Monday, MasterCard and CardSystems said that of the more than 40 million accounts exposed, information on only 68,000 Mastercard accounts, 100,000 Visa accounts and 30,000 accounts from other card brands are known to have been exported by the hackers. The data exported included names, card numbers and card security codes.

MasterCard and CardSystems have offered differing explanations of how the data breach was uncovered. MasterCard said its fraud monitoring system identified a series of fraudulent transactions in April. Then, with the help of a member bank, traced the problem to CardSystems Solutions.

CardSystems, meanwhile, said in a statement it identified a potential security incident on Sunday, May 22nd and notified the FBI the next day, and Visa and Mastercard after that.

CardSystems has admitted it was improperly holding consumer credit card data by keeping a file on credit card transactions that failed to receive authorization.

Both MasterCard and Visa have rules prohibiting card processors from saving cardholder information after transactions, and both have said CardSystems violated their policies.

"We were out of compliance and we recognize that file was out of compliance with the association rules," Bill Reeves, CardSystems' Senior Vice President, told CNN.

What's next?

Visa said it would review whether it would continue to work with CardSystems when the case is resolved. MasterCard said that it is giving CardSystems "a limited amount of time to demonstrate compliance with MasterCard security requirements."

For its part, CardSystems said it has taken measures since discovery of the breach to enhance its security procedures.

FBI spokesman Rex Tomb couldn't give more details about the case, saying only that "we're looking into it. But there's nothing more we can say at this time. It's a pending case."

MasterCard said it is giving member financial institutions the specific card account numbers that may have been compromised.

The credit card information exposed in the breach did not include any Social Security numbers, birth dates or other highly sensitive personal data, MasterCard said.

Consumers receive protection if unauthorized charges are made on their credit cards. MasterCard and Visa, for instance, have zero-liability policies.

Bentz said Visa will be monitoring the accounts closely and should know before cardholders if there has been any fraudulent activity. Thus far, she said, "We haven't seen anything outside of the norm."

If ever you notice unauthorized charges on your credit card, you should notify the bank that issued your card immediately.

The breach reported by MasterCard on Friday is one in a long line of breaches reported this year by consumer data aggregators like ChoicePoint, retailers such as DSW and corporations such as Time Warner (up $0.18 to $16.93, Research), parent company of CNN/

Rather than a rash of illicit activity, experts say, the slew of reports may have more to do with companies wishing to protect themselves in the wake of a California state law requiring businesses to notify its customers when their personal information has been exposed in a security breach.

Illinois last week became the second state to pass such a law.

Concerned about your ID being stolen? Click here.

To learn more about the companies that profit off your personal information, click here.

Allan Chernoff, a senior correspondent at CNN, contributed to this report.  Top of page


Mastercard Incorporated
Credit Cards
Manage alerts | What is this?