The credit card giant said its security division detected multiple instances of fraud that tracked back to CardSystems Solutions Inc., which processes credit card and other payments for banks and merchants.
The compromised data included names, banks and account numbers — not addresses or Social Security numbers, said MasterCard spokeswoman Sharon Gamsin. Such data could be used to steal funds but not identities.
It was the latest in a series of security breaches affecting valuable consumer data at major financial institutions and data brokers in an increasingly database-driven world.
The Early Show financial adviser Ray Martin offers tips of what to do to protect your identity at the end of this article.
The breach appears to be the largest yet involving financial data, said David Sobel, general counsel at the Electronic Privacy Information Center.
"The steady stream of these disclosures shows the pressing need for regulation of the industry both in terms of limitation in the amount of personal information that companies collect and also liability when these kinds of disclosures occur," Sobel said.
A flurry of disclosures of breaches affecting high-profile companies including Citigroup Inc., Bank of America Corp. and DSW Shoe Warehouse has prompted federal lawmakers to draw up legislation designed to better protect consumer privacy.
CardSystems was hit by a virus-like computer script that captured customer data for the purpose of fraud, Gamsin said. She said she did not know how the script got into the system. The FBI was investigating.
MasterCard, which said about 14 million of its own cards were exposed, first announced the breach in a news release late Friday afternoon, saying it was notifying its card-issuing banks of the problem.
However, CardSystems said late Friday vetted by the FBI that it first learned of a potential breach on May 22 and was told by the FBI not to release any information to the public. The company said it was surprised by MasterCard's decision to go public.
"We were absolutely blindsided by a press release by the association," CardSystems' chief financial officer, Michael A. Brady, told The Associated Press when reached on his cell phone. He refused to answer any questions and referred calls to the company's chief executive, John M. Perry, and its senior vice president of marketing, Bill N. Reeves.
Reeves said the information the company gathered initially was "on a need-to-know basis." He said he could not comment beyond a company statement, which did not give any details about the breach but noted that CardSystems is implementing increased security measures.
"I understand and fully appreciate the seriousness of the situation," Reeves said.
Under federal law, credit card holders are liable for no more than $50 of unauthorized charges, and many card issuers including MasterCard will even waive the $50.
CardSystems processes less than 0.5 percent of American Express' domestic transactions, said company spokeswoman Judy Tenzer. She said a small number of its cardholders were affected, though she did not have an exact figure.
"We are aware of the situation, we're closely monitoring it and we do have an investigation under way," Tenzer said.
Discover Financial Services Inc. said it was aware of the situation and would not say whether any of its cards were involved. Visa USA and a large issuer of cards, MBNA Corp., did not immediately calls seeking comment.
CardSystems, which has a processing center in Tuscon, Ariz., has been in business for more than 15 years and handles transactions for more than 115,000 small to mid-sized businesses, according to the company's Web site. The company says it processes transactions worth more than $15 billion annually.
Sobel said the fact that the latest breach involved a third party "indicates that this is a shadowy industry where the consumer never really knows who is going to be handling and using their personal information," he added. "Presumably, the affected consumers thought they were dealing with MasterCard."
Earlier this month, Citigroup said United Parcel Service lost computer tapes with sensitive information from 3.9 million customers of CitiFinancial, a unit that provides personal and home loans.
There have also been breaches involving other kinds of sensitive data.
ChoicePoint Inc. said in February that thieves using stolen identities had created 50 dummy businesses that pulled data including names, addresses and Social Security numbers on as many as 145,000 people.
The company has since increased its estimate of the people affected to 310,000. Information accessed included names, addresses and Social Security and driver's license numbers, but not credit history, medical records or financial information, corporate parent Reed Elsevier Group PLC said in a statement.
"Hardly a week goes by without startling new examples of breaches of sensitive personal data, reminding us how important it is to pass a comprehensive identity theft prevention bill in Congress quickly," said Sen. Charles Schumer, D-N.Y.
Late Friday night, Visa USA issued a statement:
"Visa USA is aware that a U.S. third party processor experienced a data security breach of its system resulting in the compromise of Visa card account information. First and foremost, it's important for Visa USA cardholders to know they are fully protected against unauthorized purchases with Visa's zero liability fraud protection policy.
"Visa immediately began working with the processor, public authorities and the affected Member financial institutions to monitor and prevent card related fraud. Visa respected law enforcement's request not to compromise the confidential nature of the investigation. Visa USA will continue working with our Member financial institutions, merchants, and appropriate authorities to protect cardholders."
The company referred cardholders to its Web site at www.visa.com.
The Early Show financial adviser Ray Martin offers these tips for monitoring possible identity theft.
ID Theft Warning Signs
Here are the signs that should tip you off if your personal and account information is being used fraudulently:
- Your monthly bank, loan or credit card statements stop arriving in the mail
- You get turned down for a new loan, credit card or a job based on information on your credit report
- You get calls from bill collectors from accounts you did not open
- When getting approved for a loan, the lender mentions that your credit score is lower that you believe it should be.
In short, you have to take as much interest in your credit record information as the bad guys do.
Request a copy of your credit report and review all the information on it at least every six months. If there is anything that is unfamiliar to you, such as a credit card or a bank account, ask the credit bureau how and when the account was opened. If it was not your doing, call the financial institution providing the account in question and alert them immediately.
Reporting ID Theft
If you suspect that you are a victim of identity theft, the Federal Trade Commission advises the following steps:
- Contact the fraud department of one of the three credit reporting bureaus and request that they place a fraud alert on your file. As soon as the fraud alert is confirmed, the credit bureau must notify the other credit bureaus to place fraud alerts on your files there.
- Request that the credit bureaus include instructions requiring a photo ID and an original signature to accompany any new applications for any accounts to be opened and require that no new credit be granted without your approval and verification of a secret password.
- Immediately close accounts that you know to have been opened fraudulently.
- Call your local police department and request to file a police report. Unfortunately, some police departments may not take your report, because these crimes are often multi-jurisdictional (because they are committed in several states). At least, request to file an incident report and keep a copy of the report in case you need it as proof of the crime later.
- Also call the Federal Trade Commission ID Theft Hotline at 877-IDTHEFT (877-438-4338), or its Consumer Response Center at 877-382-4357 to file a report.
- For further protection, notify all of your financial and service accounts that your personal information has been stolen and change all account numbers and add passwords on all accounts.