MasterCard says a security breach at Atlanta-based CardSystems Solutions, a third-party processor of payment card data, potentially exposed more than 40 million credit cards - of all brands - to fraud.
MasterCard says its team of security experts traced the breach to CardSystems. The incident is thought to be the largest security breach ever reported.
In a statement, CardSystems says it identified a potential security incident on Sunday May 22nd, which it reported to the FBI the next day.
MasterCard says around 13.9 million of the payment cards at risk are its own MasterCard-branded cards. Around 20 million Visa accounts are thought to have been compromised, while the remaining accounts were other brands, including American Express and Discover.
Jessica Antle, spokeswoman, MasterCard, told Reuters reporters that credit card information with names, account numbers and expiration dates of about 70,000 MasterCard cardholders had so far been found to have been taken out of a database system run by CardSystems.
She says that the firm has identified some incidences of fraud but it's "proportionally very small". Antle did not disclose whether the breach was by a CardSystems' employee or by a possible hacker outside the company - although the information is understood to have been lifted by a malicious spyware program.
But the chief executive of CardSystems, John Perry, has said that the company should not have been retaining the records that were breached. Perry told the New York Times that the exposed data was being stored for "research purposes" to determine why some transactions had registered as unauthorised or uncompleted. This goes against data protection and storage rules established by MasterCard and Visa.
In a statement, MasterCard has called on congress to extend the application of Gramm-Leach-Bliley Act (GLBA) - which includes provisions to protect personal financial data held by financial institutions - to cover third party processors. Currently, GLBA only applies to financial institutions providing services to consumers. MasterCard says the act should be extended to also include any entity, such as third party processors that stores consumer financial information regardless of whether or not they interact directly with consumers.