Watch CBS News

Hackers Crack Credit Card Security

A computer hacker may have accessed more than 40 million credit card accounts in what could be the largest in a series of recent security breaches involving consumer data, officials said.

MasterCard International Inc. announced Friday that the breach was traced to Atlanta-based CardSystems Solutions Inc., which processes credit card and other payments for banks and merchants. All brands of credit cards could be affected.

The compromised data did not include addresses or Social Security numbers, said MasterCard spokeswoman Sharon Gamsin. The data that may have been viewed--names, banks and account numbers--could be used to steal funds, but not identities.

Gamsin said she did not know how the virus-like computer script that captured customer data got into CardSystems' network, which MasterCard said was infiltrated by an "unauthorized individual." Neither company would elaborate.


The Early Show financial adviser Ray Martin offers tips of what to do to protect your identity at the end of this article.

The FBI was investigating.

MasterCard said 14 million of its customers may have been exposed to fraud. A spokeswoman for American Express said a small number of its cardholders were affected, but would not give an exact number. Discover Financial Services Inc. wouldn't say whether its customers were affected. Visa USA and a large issuer of cards, MBNA Corp., did not return calls for comment Friday.

The incident was the latest in a series of security lapses affecting consumer information. The breach appears to be the largest yet involving financial data, said David Sobel, general counsel at the Electronic Privacy Information Center.

"The steady stream of these disclosures shows the pressing need for regulation of the industry both in terms of limitation in the amount of personal information that companies collect and also liability when these kinds of disclosures occur," he said.

Under federal law, credit card holders are liable for no more than $50 of unauthorized charges, and many card issuers will even waive the $50.

Other companies that have been hit by security lapses recently include Citigroup Inc., Bank of America Corp. and DSW Shoe Warehouse. Federal lawmakers responded by drawing up legislation designed to better protect consumer privacy.

MasterCard announced the breach in a news release Friday, saying it was notifying its card-issuing banks of the problem.

CardSystems then released its own statement, saying it first learned of a potential breach on May 22. The company said it was told by the FBI not to release any information to the public; its statement Friday had been vetted by the agency.

"We were absolutely blindsided" by MasterCard's announcement, CardSystems' chief financial officer, Michael A. Brady, told The Associated Press.

CardSystems, which has a processing center in Tucson, Ariz., has been in business for more than 15 years and handles transactions for more than 115,000 small to mid-sized businesses, according to the company's Web site. The company says it processes transactions worth more than $15 billion annually.

Sobel said the fact that the latest breach involved a third party "indicates that this is a shadowy industry where the consumer never really knows who is going to be handling and using their personal information."

Earlier this month, Citigroup said UPS lost computer tapes with sensitive information from 3.9 million customers of CitiFinancial, which provides loans.

There have also been breaches involving other kinds of sensitive data.

ChoicePoint Inc. said in February that thieves using stolen identities had created 50 dummy businesses that pulled data including names, addresses and Social Security numbers on as many as 145,000 people.

In March, LexisNexis Inc. disclosed that hackers had commandeered a database and gained access to the personal files of as many as 32,000 people.

The company has since increased its estimate of the people affected to 310,000. Information accessed included names, addresses and Social Security and driver's license numbers, but not credit history, medical records or financial information, corporate parent Reed Elsevier Group PLC said in a statement.

The Early Show financial adviser Ray Martin offers these tips for monitoring possible identity theft.

ID Theft Warning Signs

Here are the signs that should tip you off if your personal and account information is being used fraudulently:

  • Your monthly bank, loan or credit card statements stop arriving in the mail
  • You get turned down for a new loan, credit card or a job based on information on your credit report
  • You get calls from bill collectors from accounts you did not open
  • When getting approved for a loan, the lender mentions that your credit score is lower that you believe it should be.
It is almost impossible to prevent ID theft from happening, even if you take every precaution to prevent it, particularly when a business that has your personal information is compromised from within. The single best defense against prolonged damage from ID theft is to frequently review your credit report information for signs of incorrect information and accounts that you did not open. Early detection and immediate action is the only way to stop the damage that can be done when your personal information is fraudulently used.

In short, you have to take as much interest in your credit record information as the bad guys do.

Request a copy of your credit report and review all the information on it at least every six months. If there is anything that is unfamiliar to you, such as a credit card or a bank account, ask the credit bureau how and when the account was opened. If it was not your doing, call the financial institution providing the account in question and alert them immediately.

Reporting ID Theft

If you suspect that you are a victim of identity theft, the Federal Trade Commission advises the following steps:

  • Contact the fraud department of one of the three credit reporting bureaus and request that they place a fraud alert on your file. As soon as the fraud alert is confirmed, the credit bureau must notify the other credit bureaus to place fraud alerts on your files there.
  • Request that the credit bureaus include instructions requiring a photo ID and an original signature to accompany any new applications for any accounts to be opened and require that no new credit be granted without your approval and verification of a secret password.
  • Immediately close accounts that you know to have been opened fraudulently.
  • Call your local police department and request to file a police report. Unfortunately, some police departments may not take your report, because these crimes are often multi-jurisdictional (because they are committed in several states). At least, request to file an incident report and keep a copy of the report in case you need it as proof of the crime later.
  • Also call the Federal Trade Commission ID Theft Hotline at 877-IDTHEFT (877-438-4338), or its Consumer Response Center at 877-382-4357 to file a report.
  • For further protection, notify all of your financial and service accounts that your personal information has been stolen and change all account numbers and add passwords on all accounts.

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.