By Jonathan Krim and Michael Barbaro
Washington Post Staff Writers
Saturday, June 18, 2005
More than 40 million credit card numbers belonging to U.S. consumers were accessed by a computer hacker and are at risk of being used for fraud, MasterCard International Inc. said yesterday.
In the largest security breach of its kind, MasterCard officials said all credit card brands were affected, including 13.9 million cards bearing the MasterCard label. A spokeswoman for Visa USA Inc. confirmed that 22 million of its card numbers may have been breached, while Discover Financial Services Inc. said it did not yet know if its cards were affected.
MasterCard officials said consumers are not held responsible for unauthorized charges on their cards, and that other sensitive personal data, such as Social Security numbers and birth dates, were not stored in the hacked system. So far, no evidence of fraudulent charges has emerged, they said.
The breach occurred late last year at a processing center in Tucson operated by CardSystems Solutions Inc., one of several companies that handle transfers of payment between the bank of a credit card-using consumer and the bank of the merchant where a purchase was made.
CardSystems' computers were breached by malicious code that allowed access to customer data, said Josh Peirez, a MasterCard senior vice president.
Peirez said MasterCard is certain only that 68,000 of its numbers were taken by the hacker over an unknown amount of time before the breach was discovered. But because the hacker had access to the full database, it is difficult to say how many more numbers may have been taken, he said.
He said the breach was not confirmed until about two weeks ago.
MasterCard said it has begun notifying banks that issue its cards, which in turn are responsible for notifying cardholders.
A teeming black market for stolen credit card numbers allows thieves to make quick purchases, pinning the loss on merchants, which do not get paid when the charge is discovered to be fraudulent. Identity theft experts said credit card numbers, even those that are canceled, have value because they can be used to help establish the credentials of a thief seeking to pose as a consumer to obtain other sensitive personal data.
Officials at MasterCard and Visa accused CardSystems of not meeting agreed-upon computer security standards. Peirez said CardSystems is being given a short time to make corrections.
"We have requirements," Peirez said. "In this case, it does not seem those standards were being followed."
Visa spokeswoman Rhonda Bentz said CardSystems did not comply with Visa's security rules when the breach occurred, though she would not elaborate on what went wrong.
In a written statement, CardSystems said it discovered the breach on May 22 and notified the FBI the next day.
"We are sparing no effort to get to the bottom of this matter," the statement said.
Bentz said Visa did not announce the breach, which it learned about in the past two weeks, because "we have an agreement with the FBI that we do not make an announcement in the middle of an investigation . . . and we hope MasterCard's jumping the gun does not do anything to jeopardize the investigation."
An FBI spokesman declined to comment other than to confirm that the agency is working on the case.
The breach is the latest in a spate of such announcements from a variety of organizations, including banks and companies that buy and sell personal data, universities and government agencies. In some cases information was lost, in others stolen, but the breaches have put identity theft atop the list of priorities for several members of Congress. Many of the cases involved Social Security numbers.
"Hardly a week goes by without startling new examples of breaches of sensitive personal data reminding us how important it is to pass a comprehensive identity theft prevention bill in Congress quickly," Sen. Charles E. Schumer (D-N.Y.) said in a news release.
Peirez said MasterCard supports extending data security laws that apply to financial institutions to any entity that handles consumer information, such as transaction processors and data brokers.
MasterCard also supports a national law requiring that consumers be notified when their information is breached and there is significant risk of identity theft.
But Dan Clements, chief executive of CardCops.com Inc., a privacy protection organization, said financial institutions lack any incentive to take more responsibility for the problem.
Not only do credit card companies and banks that issue cards bear no losses for fraudulent purchases, but banks charge merchants for reversing unauthorized charges.
"It's a revenue stream for them," Clements said.