MasterCard International said hackers breached the network of Atlanta-based CardSystems Solutions, which processes about $15bn annually of credit card transactions for over 100,000 small businesses in the US.
MasterCard said data on 40 million cards was compromised, 13.9 million of which bore the MasterCard brand. Visa confirmed that its cards were also compromised. CardSystems also processes American Express and Discover cards.
Both MasterCard and CardSystems claimed credit for discovering the breach. MasterCard said its own anti-fraud systems allowed it to identify a compromised payments processor.
The firm said it worked with CardSystems to remediate the security vulnerabilities in the processor’s systems. These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data.
CardSystems claimed it noticed a breach on Sunday May 22, notified the FBI the following day, and only after that notified MasterCard and Visa.
Visa gave less away, saying it was aware of a data security breach, and that it had not said anything sooner so as to not compromise the FBI investigation.
However, legislation in states such as California, which will almost certainly become federal law this year, requires companies that believe personal data on their customers has been stolen to notify those customers.
It may be mainly due to that law, and the fact that there has been a succession of security breach disclosures this year because of it, that information on the latest crack came to light at all. It may not even be the first attack on such a scale.
MasterCard said it has given CardSystems a deadline to show that its systems meet MasterCard’s security policies. CardSystems said it is completing the installation of enhanced/additional security procedures recommended by the security assessor involved in the investigation.
There’s no way of attaching a price tag yet to the breach. Certainly, CardSystems is incurring costs, and the credit card companies’ partners will be bearing the brunt of the support costs as blanket news coverage panics consumers.
Much of the impact will depend on what happened to the card data. Reading between the lines of MasterCard’s statement, it had already seen evidence of fraud, although that may conflict with CardSystems’ statement.
Because credit card users have a reduced exposure to fraud, the main financial damage will likely hit merchants, which will have to swallow the cost of any fraud perpetrated with the stolen data.
