40 Million Credit Card Numbers Hacked

By Jonathan Krim and Michael Barbaro
Washington Post Staff Writers
Saturday, June 18, 2005

More than 40 million credit card numbers belonging to U.S. consumers were accessed by a computer hacker and are at risk of being used for fraud, MasterCard International Inc. said yesterday.

In the largest security breach of its kind, MasterCard officials said all credit card brands were affected, including 13.9 million cards bearing the MasterCard label. A spokeswoman for Visa USA Inc. confirmed that 22 million of its card numbers may have been breached, while Discover Financial Services Inc. said it did not yet know if its cards were affected.

MasterCard officials said consumers are not held responsible for unauthorized charges on their cards, and that other sensitive personal data, such as Social Security numbers and birth dates, were not stored in the hacked system. So far, no evidence of fraudulent charges has emerged, they said.

The breach occurred late last year at a processing center in Tucson operated by CardSystems Solutions Inc., one of several companies that handle transfers of payment between the bank of a credit card-using consumer and the bank of the merchant where a purchase was made.

CardSystems' computers were breached by malicious code that allowed access to customer data, said Josh Peirez, a MasterCard senior vice president.

Peirez said MasterCard is certain only that 68,000 of its numbers were taken by the hacker over an unknown amount of time before the breach was discovered. But because the hacker had access to the full database, it is difficult to say how many more numbers may have been taken, he said.

He said the breach was not confirmed until about two weeks ago.

MasterCard said it has begun notifying banks that issue its cards, which in turn are responsible for notifying cardholders.

A teeming black market for stolen credit card numbers allows thieves to make quick purchases, pinning the loss on merchants, which do not get paid when the charge is discovered to be fraudulent. Identity theft experts said credit card numbers, even those that are canceled, have value because they can be used to help establish the credentials of a thief seeking to pose as a consumer to obtain other sensitive personal data.

Officials at MasterCard and Visa accused CardSystems of not meeting agreed-upon computer security standards. Peirez said CardSystems is being given a short time to make corrections.

"We have requirements," Peirez said. "In this case, it does not seem those standards were being followed."

Visa spokeswoman Rhonda Bentz said CardSystems did not comply with Visa's security rules when the breach occurred, though she would not elaborate on what went wrong.

CONTINUED     1        >

© 2005 The Washington Post Company