A hacker broke into a computer database containing roughly 8 million Visa, MasterCard and American Express credit card numbers earlier month, prompting an FBI investigation into one of the largest intrusions of its kind.
All three card companies said that the numbers are being closely monitored, and that there is no evidence that any have been used for fraudulent purchases. The big three card issuers said the intruder cracked the computer security of a firm that processes credit card transactions for merchants, but they declined to name the company or provide any other details.
The companies said they had turned the matter over to the FBI.
About 2.2 million of the affected numbers involved MasterCard customers. "MasterCard's rules require that merchants securely encrypt cardholder information, including card numbers," so unauthorized purchases cannot be made, the company said in a prepared statement yesterday.
Visa, which accounted for 3.4 million of the numbers, sought to remind customers that they would be automatically credited for any unauthorized purchases, a policy followed by all three credit card companies.
Consumer fraud experts criticized the firms for not automatically informing all consumers that their accounts might have been compromised. Although credit card issuers generally do a good job of protecting against fraudulent purchases, the experts said, such security breaches can lead to a larger problem of identity theft that might not be apparent until months later.
Although it can be difficult to gather additional personal data from a credit card number alone, hackers bent on fraud are likely to try to use the information to impersonate a cardholder, said James Vaules, a former FBI agent and fraud consultant for the LexisNexis database company.
Dan Clements, who runs CardCops.com, a California consulting group and think tank on credit card fraud, said it is up to the banks and other vendors that issue credit cards to determine whether to inform their customers.
Clements said issuers generally don't do so unless they decide to give their customers new cards and account numbers, which costs issuers about $25 per account.
"The card holder is the last to know," Clements said, which hurts their ability to protect themselves against identity theft.
Christine Elliott, a spokeswoman for American Express, confirmed that her company has not informed its affected customers of the break-in. She declined to disclose how many accounts were affected but said the number was considerably lower than that of Visa and MasterCard.
"We would encourage our card members to call us if they have questions," Elliott said.
Spokesmen for Visa and MasterCard declined to provide the names of the banks that issued the affected cards and to discuss the identity theft question.
A spokeswoman for Citizens Bank in Philadelphia told CNN that her bank closed 8,000 accounts as a precaution and was reissuing cards. The bank did not return phone calls seeking comment.