12 February 2016

CardSystems security breach exposed 40 million card accounts - MasterCard

20 June 2005  |  10302 views  |  0 mastercard logo

MasterCard says a security breach at Atlanta-based CardSystems Solutions, a third-party processor of payment card data, potentially exposed more than 40 million credit cards - of all brands - to fraud.

MasterCard says its team of security experts traced the breach to CardSystems. The incident is thought to be the largest security breach ever reported.

In a statement, CardSystems says it identified a potential security incident on Sunday May 22nd, which it reported to the FBI the next day.

MasterCard says around 13.9 million of the payment cards at risk are its own MasterCard-branded cards. Around 20 million Visa accounts are thought to have been compromised, while the remaining accounts were other brands, including American Express and Discover.

Jessica Antle, spokeswoman, MasterCard, told Reuters reporters that credit card information with names, account numbers and expiration dates of about 70,000 MasterCard cardholders had so far been found to have been taken out of a database system run by CardSystems.

She says that the firm has identified some incidences of fraud but it's "proportionally very small". Antle did not disclose whether the breach was by a CardSystems' employee or by a possible hacker outside the company - although the information is understood to have been lifted by a malicious spyware program.

But the chief executive of CardSystems, John Perry, has said that the company should not have been retaining the records that were breached. Perry told the New York Times that the exposed data was being stored for "research purposes" to determine why some transactions had registered as unauthorised or uncompleted. This goes against data protection and storage rules established by MasterCard and Visa.

In a statement, MasterCard has called on congress to extend the application of Gramm-Leach-Bliley Act (GLBA) - which includes provisions to protect personal financial data held by financial institutions - to cover third party processors. Currently, GLBA only applies to financial institutions providing services to consumers. MasterCard says the act should be extended to also include any entity, such as third party processors that stores consumer financial information regardless of whether or not they interact directly with consumers.

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board, sign up now.

Related blogs

Create a blog about this story (membership required)

Related stories

17 June, 2005
17 May, 2005
19 April, 2005
14 April, 2005
12 April, 2005
18 February, 2003

Related company news


Top topics

Most viewed Most shared
UK sets out open banking API framework
13741 views comments | 95 tweets | 87 linkedin
European mobile banking service Pocopay go...
7989 views comments | 25 tweets | 14 linkedin
Deutsche Bank calls for co-operation with...
7274 views comments | 27 tweets | 30 linkedin
How to accelerate your fintech startup
7153 views comments | 33 tweets | 9 linkedin
Wearable payments startup Fit Pay secures...
6504 views comments | 26 tweets | 9 linkedin

Featured job

to $120K base, double OTE, benefits
New York City, NY or Boston, MA (USA)

Find your next job