washingtonpost.com
Cardholders Kept in Dark After Breach
Some Banks Decline to Tell Customers Whether Accounts Were Compromised

By Mike Musgrove
Washington Post Staff Writer
Thursday, June 23, 2005

Consumer advocates said credit card customers have been denied crucial information in the wake of a recent data breach, as some major banks are declining to tell cardholders whether their account may have been accessed by hackers.

In a security lapse disclosed by MasterCard International Inc. last week, 40 million credit card and debit card numbers were exposed to an intruder who gained access sometime last year through a credit-processing firm. An interagency group of federal banking regulators has begun an investigation into the incident.

Meanwhile, Internet security firm Secure Computing Corp. warned yesterday that a fresh appearance of an old e-mail scam appears to come from opportunistic fraudsters hoping to use fear about the recent data theft as a way to trick MasterCard customers into giving up their account information.

Companies such as J.P. Morgan Chase & Co., Citigroup Inc., American Express Co. and MBNA Corp. said that they are not automatically alerting their customers that their information may have been exposed but that they are more closely monitoring the accounts that may have been affected. The policy was reported yesterday on CNetNews.com.

Such credit-card-issuing banks said MasterCard and Visa have shared with them lists of account numbers that may have been compromised. Though such accounts may earn heightened scrutiny from the banks that issued them, customers may never know whether their account numbers were among those stolen by hackers.

"Those accounts have been flagged, and we're watching them even more closely than we otherwise would," said Jim Donahue, spokesman at MBNA. "If we start to see an unusual rate of fraud [among the set of compromised accounts], we would consider notifying those customers impacted -- but we haven't seen that yet."

MasterCard said yesterday that it is up to banks that issue credit cards to determine whether to contact cardholders.

Consumer watchdog groups decried such policies as bad for consumers.

"That sounds really bad to us," said Chanelle Hardy, legislative counsel at Consumers Union, the nonprofit publisher of Consumer Reports magazine. "Any time that any unauthorized person gets access to sensitive or personal information, [the cardholder] should be notified," she said. "For a consumer, it's the first line of defense. It's almost their only line of defense."

The breach reported last week occurred at a processing center in Tucson operated by CardSystems Solutions Inc. and may have been the largest such theft. CardSystems did not return a call for comment yesterday.

The Federal Financial Institutions Examination Council has issued guidelines for when a bank should disclose to its customers that account information may have been stolen.

Michael L. Jackson, chairman of the FFIEC's information technology subcommittee, said yesterday that it was too early in the investigation to recommend one course or another.

There has not yet been any fraudulent activity associated with the stolen credit card numbers, said Sharon Gamsin, vice president of communications at MasterCard. If bogus charges do show up, customers often are not held responsible but can spend years clearing their credit ratings if someone steals their identity.

Within 24 hours of last week's news of the breach, a new version of an Internet scam was circulating on the Web. In an e-mail forged to look as if it had come from MasterCard, recipients were urged to log in to a counterfeited MasterCard site and enter their account information.

That Web site had apparently been taken down yesterday afternoon. It was registered in the name of Tucson resident Donald Cuppe, whose wife said in an interview yesterday that the couple knew nothing about the site but had received a call from their bank on Monday alerting them that their Visa debit card number was stolen.

Washingtonpost.com staff writer Brian Krebs contributed to this report.

© 2005 The Washington Post Company