from www.latimes.com – MasterCard Inc.andVisa Inc.warned Friday that some of the data in their cardholder accounts may have been breached.
The companies don’t directly issue credit cards – they process card transactions for the banks that do. MasterCard said that it had notified banks – as well as law enforcement – of a potential problem with a third party, “U.S.-based entity.”
An independent data security organization is conducting a forensic review, MasterCard said. The company’s own systems haven’t been compromised. Visa said the same.
“MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information,” the company said in a statement without specifying how many cards may be at risk.
Visa said in a statement that it had handed over affected account numbers to card issuers who would, if necessary, reissue cards. Cardholders won’t be held responsible for fraudulent purchases, Visa said.
Earlier, the blog Krebs on Security wrote that MasterCard and Visa have told banks that the “major breach” could involve more than 10 million card numbers compromised between Jan. 21 and Feb. 25. The post noted that the affected information could be used to make counterfeit new cards.
Last year, hackers attacked large amounts of consumer information at firms including Citigroup, Google and Sony.
The Privacy Rights Clearinghouse, a San Diego nonprofit organization, tallied more than 535 data breaches last year involving more than 30.4 million sensitive records. The organization, which publishes a chronology of known data breaches, said it has added up an “alarming” total of 543 million compromised records in the United States since 2005.
Director Beth Givens said that number was only a “sampling.” Not all data breaches come to the attention of news organizations, she said, and many states have no requirement that companies report breaches to an official clearinghouse.
from www.msnbc.com – Law enforcement officials are investigating what appears to be a massive theft of U.S. consumers’ credit card data, MasterCard and Visa confirmed Friday. The computer security expert who first reported the theft said it might involve as many as 10 million MasterCard and Visa accounts, making it one of the largest known credit card heists.
“MasterCard is currently investigating a potential account data compromise event of a U.S.-based entity and, as a result, we have alerted payment card issuers regarding certain MasterCard accounts that are potentially at risk,” that association said in a statement. “Law enforcement has been notified of this matter and the incident is currently the subject of an ongoing forensic review by an independent data security organization.”
The theft was first reported by well-known computer security journalist Brian Krebs on his blog, KrebsonSecurity.com. Krebs said the crime involves compromise of a credit card payment processor — a “middle man” that handles transactions between retailers and banks. The name of that institution is unknown, but processors have long been a target of identity thieves because of the enormous amounts of data they control. In 2008, Princeton, N.J.,-based Heartland Systems was hacked, exposing tens of millions of credit card account numbers to theft.
Krebs reported that hackers had access to the unknown processor’s data from Jan. 21 through Feb. 25, and were able to siphon off enough data to easily create counterfeit cards. His sources called the leak “massive.”
Visa, in a statement, also acknowledged the data theft but said its own systems were not hacked.
“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands,” the firm said. “Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.”
Trading was halted for shares of Atlanta-based payment processor Global Payments Inc. on Friday, after speculation that the company was at the center of the data leak was raised by a Wall Street Journal story.
Gartner security expert Avivah Litan said she’s been told that the stolen data is already being used on the street by identity thieves.
“I’ve spoken with folks in the card business who are seeing signs of this breach mushroom. Looks like the hackers have started using the stolen card data more recently,” she said.
She’s been told that investigators believe the data theft originated in New York City.
“From what I hear, the breach involves a taxi and parking garage company in the New York City area, so if you’ve paid a NYC cab in the last few months with your credit or debit card — be sure to check your card statements for possible fraud,” Litan said in her blog post on the topic.
MasterCard said none of its computers were hacked as part of the incident.
“MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information,” the association added in its statement. “If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution…. It is important to note that MasterCard’s own systems have not been compromised in any manner. “