Viewed by the numbers, it's the largest security breach made public in recent memory.
An "unauthorized individual" infiltrated the computer network of a third-party payment processor and may have stolen up to 40 million credit card numbers, MasterCard International revealed Friday. All brands of credit cards were exposed in the attack; about 14 million of the 40 million accounts exposed were MasterCard accounts, the firm said.
MasterCard spokeswoman Jessica Antle said other important personal information, such as Social Security Numbers and birthdays, was not stolen during the incident.
MasterCard pinned the blame on Tucson, Ariz.-based CardSystems Solutions Inc. In a statement issued late Friday, CardSystems confirmed it suffered a "security incident" on May 22.
"We understand and fully appreciate the seriousness of the situation," the statement, which was signed by marketing director Bill Reeves, said. "We are sparing no effort to get to the bottom of this matter. Our goal is to cooperate fully with the FBI to complete the investigation."
CardSystems did not answer other questions posed by e-mail and did not return telephone calls.
On its Web site, CardSystems says it performs transactions for more than 100,000 small companies with more than $15 billion in Visa, MasterCard, American Express and Discover transactions processed annually.
Visa USA acknowledged in a statement that some of its credit card accounts were also compromised in the incident; it did not reveal how many. Judy Tenzer, a spokeswoman for American Express, confirmed a small number of its customers were also caught up in the breach. Discover did not immediately return phone calls seeking comment.
MasterCard officials say they discovered the fraud and traced it to a problem at CardSystems. CardSystems, in its statement, indicated it discovered the incident and voluntarily reported it to the FBI and the credit card associations.
CardSystems also would not confirm the number of accounts placed at risk by the intrusion, pegged at up to 40 million by MasterCard.
"MasterCard International is notifying its member financial institutions of a breach of payment card data, which potentially exposed more than 40 million cards of all brands to fraud," MasterCard's statement said.
CardSystems was fingered by MasterCard after it spotted fraud on credit card accounts and found a common thread, tracing it back to CardSystems, MasterCard said.
"Through the use of MasterCard fraud-fighting tools that proactively monitor for fraud, MasterCard was able to identify the processor that was breached," the company said in its statement.
MasterCard spokeswoman Sharon Gamsin said a computer virus was not to blame for the data theft. She said she couldn't provide details of how the systems were hacked, but did say that "an unauthorized entity put a specific code into CardSystems' network," enabling the person or group to gain access to the data. She wouldn't say how long attackers had access to CardSystems computers.
But upon discovering the incident, MasterCard immediately notified customer banks of specific card accounts that may have been subject to compromise so they can watch for fraud, she said.
While intruders who raided the processor's system had access to 40 million accounts, it's not clear how many account numbers were actually stolen, she said.
Vulnerabilities in CardSystems' computers have now been fixed, she said.
"They did not have adequate protection, but they are being entirely cooperative," Gamsin said.
Banks may or may not close accounts
Typically, credit card-issuing banks decide whether to cancel and reissue credit cards connected to security breaches. It was not immediately clear what steps issuing banks were taking in response to the news.
But Avivah Litan, a security analyst with Gartner Inc., said most banks won't reissue cards until there's evidence of active fraud. Usually, that means the criminal with the stolen data can complete at least one or two purchases before the card is canceled, and that puts merchants at risk.
"The sad truth is that the card companies could easily contain the potential damage by shutting down the affected accounts and issuing new cards," she said. "But of course they won’t do that because that would cost them around $10 a card. Instead, they will let retailers take most of the hit."
The news comes on the heels of several other high-profile data leaks. The Privacy Rights Clearinghouse says about 10 million people's personal data has been lost or stolen since February.
The CardSystems incident is similar to a data theft in 2003 involving another payment processor, Omaha, Neb.-based Data Processors International. In that case, a computer criminal stole 8 million credit card account numbers from the processor.
"Data breaches are now at pandemic proportions," said Rob Douglas, a security expert who operates PrivacyToday.com. He has testified several times before Congress about data thefts. "The level of data breaches is not just a national embarrassment, it is a national emergency and Congress needs to act accordingly."
Rep. Ed Markey, D-Mass., was critical of the timing of the announcement, coming late on a Friday afternoon, suggesting the news was intentionally released then to limit media attention.
"Today's announcement only underscores the need for new federal legislation to protect American consumers from the unending stream of revelations from corporate America about failure after failure to protect the public from data security breaches," Markey said.
Markey is himself the author of three bills to combat identity theft. One would limit the sale and use of Social Security numbers, another sets new controls on those who sell personal data and a third would limit exporting of personal data outside the United States.
Bob Sullivan is author of