Mastercard International Inc. revealed details of a massive hack at third-party credit card transaction processor CardSystems Solutions Inc. in late June, but little is known about how CardSystems network was compromised, and most major credit card issuers are mum about how many customers were caught up in the breach.
The hack, which may be the largest reported incident of data theft to date, is drawing attention to lax security at CardSystems and other third-party processors, which are not tightly monitored, despite processing millions of sensitive credit card transactions each year.
MasterCard in late June said it was notifying its member financial institutions of a data breach at CardSystems after the company, working with forensic investigators from MasterCard, identified a potential security incident May 22. More than 200,000 credit card accounts, out of 40 million, reportedly have been exposed in the theft. Atlanta-based CardSystems acknowledged that it was improperly storing the accounts on its network for research purposes.
MasterCard said that about 68,000 of its customers accounts were put at high risk by the compromise, out of 13.9 million cardholders who had transactions processed by CardSystems. MasterCard is working with member banks, according to Linda Locke, vice president of global communications, in Purchase, N.Y.
But officials at Visa U.S.A. Inc., based in San Francisco, and American Express Co., in New York, declined to provide information on how many of their customers may have been affected, citing the ongoing investigation.
In an e-mail statement, a Visa spokesperson said that the company has not yet detected any fraud on Visa cards resulting from the CardSystems breach but that it is respecting the request of law enforcement to keep information confidential. American Express said it is continuing to monitor the CardSystems situation and is not ready to disclose how many cardholder accounts might have been exposed, said company spokesperson Christine Elliott. Only a small number of American Express merchants use CardSystems, and only half of 1 percent of the companys traffic goes through CardSystems, Elliott said.
MasterCards Locke said she couldnt speculate on why hers was the only credit card company to go public with information on the breach, but she said she wasnt aware of any request by law enforcement to keep information secret. "We work carefully with the FBI. Theyve said publicly that consumers should be warned," she said.
The FBI declined to comment on the case, citing the ongoing investigation.
More scrutiny needs to be given to companies such as CardSystems, said Mike Gibbons, vice president of federal security services at Unisys Corp., of Blue Bell, Pa. "The question is, Has this happened in the past? Are businesses learning from these events?" Gibbons asked.