American Express card holders were exposed during the same computer break-in which hit millions of Visa and MasterCard members, the company said Tuesday. Overall, 8 million accounts were said put at risk by the hack into a third-party credit card processing system, but with no outbreak of fraud, the companies said they were hopeful the account information had not actually been stolen. Separately, Discover said that its users were also recently exposed by a computer hack, but would not confirm it was the same incident.
WHEN CONSUMERS swipe their credit cards at a checkout counter, their account number takes a long and winding path around a host of global networks that ultimately ensure the shop owner gets paid. It was one of the firms that push the account data through cyberspace that suffered a serious computer breach earlier this month, according to the credit card companies.
It’s not clear exactly how many accounts were placed at risk, because the credit card firms aren’t releasing detailed figures, but MasterCard spokeswoman Christina Costa said a total of 8 million cardholders were exposed, including 2.2 million MasterCard accounts. A spokeswoman for Visa said about 3.4 million of that firm’s accounts were exposed.
American Express spokeswoman Christine Elliott told MSNBC.com Tuesday that the company which leaked the data also processed Amex transactions, so some Amex cards were also placed on fraud alert. She wouldn’t reveal how many.
“At this point we’re monitoring the situation,” Elliot said. “We haven’t been aware of any fraud with those cards. We have put in place our monitoring systems.”
Discover spokeswoman Beth Metzler said her firm had been notified recently by one of its third-party processors that it had suffered a breach, but she couldn’t confirm this was the same incident as the Visa-MasterCard-American Express exposure. The incident impacts only “a small percentage” of the firm’s 50 million customers, she said.
But if MasterCard’s estimates are right, it’s likely some 2.4 million American Express and Discover card users were also placed at risk by the incident.
INTENTIONS UNKNOWN Each of the credit card issuers stressed, however, that while a critical computer intrusion occurred, and financial data was available for the taking, it’s not clear what was actually stolen — and what the attacker’s intentions are. All the impacted accounts have been monitored for at least several days, and there’s been no increase in fraud, according to Visa spokeswoman Casey Watson.
“They were all placed into our ‘compromised account management system,’ and we have not seen any accounts fraudulently compromised,” Watson said.
The credit card firms are reluctant to demand that issuing banks cancel the impacted accounts, said consumer advocate Dan Clements, because such recalls can cost banks up to $25 each. So they are hoping the breach will blow over without incident, he said
But at least one institution — Citizen’s Bank, which serves customers in the Northeast — has elected to take the safe, costly route, reissuing some 8,000 cards, Clements said.
All the card issuers declined to reveal the name of the firm that leaked the data. Visa spokeswoman Watson cited contracts with the firm that prevented disclosure.
WHAT CONSUMERS SHOULD KNOW
Consumers shouldn’t be worried, Watson said, because credit card thieves typically move quickly when they steal card numbers — so the lack of fraudulent activity is an optimistic sign.
“They know the window of opportunity is very small,” she said. “I don’t think (consumers) should be worried. The system indicates there has been no fraud. They should rest easy and know we are keeping an eye on their accounts.”
Nevertheless, the story is enough to make credit card holders a bit uneasy. Credit card companies and merchants almost never tell customers when their personal information has been exposed to a hacker, so it’s unlikely that any consumer whose information was exposed in this breach will ever know, Clements said.
Concerned consumers should check their monthly statements for unexpected charges. It’s even more effective to check daily charge activitity through the bank’s Web site, if possible. The odds of being affected by this security breach are still below 1 percent, but careful statement review makes sense, anyway: Some surveys say as many as 1 in every 20 consumers has experienced credit card fraud.