Only 40 million credit cards exposed to data security breaches? When I complained that over a million credit cards were hacked in India, the Government of India's sole repsonese was to set up a working group packed with credit card industry vested interests to examine the matter - a bit like asking Dawood Ibrahim to rewrite the Indian Penal Code. Why are Information Technology and cyber crime laws are so obsolete here in India ?
By Spencer Swartz (Reuters)
SAN FRANCISCO (Reuters) - MasterCard International on Friday said a security breach of credit card payment data had exposed about 40 million cards to potential fraud in the biggest such privacy violation ever reported.
An unauthorized person infiltrated cardholder data at CardSystems Solutions Inc., which processes transactions for MasterCard. About 13.9 million of those credit cards at risk are MasterCard-branded cards, the company said.
The total number of cards exposed exceeds the population of California, the most populous U.S. state.
"It sounds like the Guinness Book of World Records here," said Richard Smith, a leading computer privacy activist who runs a Web site called ComputerBytesMan.com.
There are 1.1 billion credit cards in circulation in the United States, according to the Nilson report which tracks the credit card industry.
A string of companies this year have reported stolen or misappropriated customer data, including Bank of America Corp. BAC.N, ChoicePoint Inc., and Reed Elsevier's.
MasterCard said its security staff identified the breach at Tucson-based CardSystems Solutions Inc., a third-party processor of payment card data. Third party processors process transactions on behalf of financial institutions and merchants.
MasterCard said social security numbers and dates of birth were not "stored on MasterCard cards." The company was not available to elaborate on what types of information were exposed and whether any wrongdoing had occurred.
The Secret Service, which helps protect U.S. financial institutions in addition to protecting the U.S. president, declined to comment, spokesman Jonathan Cherry said. CardSystems and Visa USA, MasterCard's biggest rival, were also not available to comment.
CARDSYSTEMS, LEGISLATION
MasterCard said security vulnerabilities in CardSystems processor's systems allowed the breach.
CardSystems has already taken steps to improve the security of its system, MasterCard said, adding it was giving the company "a limited amount of time" to demonstrate compliance with MasterCard security requirements. CardSystems, which has been in business for about 15 years, processes more than $15 billion annually in transactions made online and with credit card issuers Visa, MasterCard, American Express, and Discover, according to the company's Web site.
MasterCard, based in Purchase, New York, said it immediately notified its customer banks of specific card accounts that may have been subject to compromise so they can take measures to protect their cardholders. MasterCard's roughly 23,000 customer financial institutions around the world issued 679.5 million MasterCard-branded cards in 2004, according to its Web site.
Since ChoicePoint announced in February that it mistakenly sold 145,000 consumer profiles to a ring of identity thieves, dozens of other organizations have announced security breaches of their own, ranging from banks to universities.
So far this year nearly 10 million Americans have been exposed, according to the Privacy Rights Clearinghouse.
The flood of revelations, triggered by a California state law that requires such disclosures, have prompted cries for tough national standards on privacy.
Several Democratic U.S. senators have introduced bills that would require companies to take "reasonable steps" to protect consumer account information and tell them when that information has been compromised.
Those bills have not yet attracted any Republican co-sponsors. Observers expect a more business-friendly, Republican-backed bill to be introduced as soon as next week.
New York Democratic Sen. Charles Schumer, who has sponsored a consumer data protection law, called on Congress to move quickly to pass legislation to better protect consumer data following Friday's news.
"Hardly a week goes by without startling new examples of breaches of sensitive personal data reminding us how important it is to pass a comprehensive identity theft prevention bill in Congress quickly," he said in a statement.
(Additional reporting by Andy Sullivan and Peter Kaplan in Washington, Duncan Martell and Eric Auchard in San Francisco)
