It's a letter no consumer wants to receive.
"We are writing you today to let you know that Visa recently informed us of an unauthorized network intrusion," says a note sent earlier this month by Washington Mutual bank to an undisclosed number of consumers. "This network breach affects the security of your Washington Mutual ATM/Visa Check Card."
The account numbers were exposed to hackers by a merchant, the letter says — but Visa never told Washington Mutual what company is to blame.
The letter was eerily similar to a flurry of notices sent out earlier this year by banks across the country after BJ's Wholesale Club exposed a wide swath of member credit card numbers. The firm wouldn't disclose how many of its 8 million customers were leaked — potentially stolen by hackers — but dozens of banks were forced to reissue tens of thousands of credit cards, according to various news reports.
The Washington Mutual letter goes on to say that the bank will issue replacement cards as a precaution; the old check card won't work within a few days.
But a lot of information is missing from the notice. How were the account numbers compromised? How many victims are there? Why did it happen? And what's to prevent it from happening again? The BJ's case was unusual because the leak was traced back to a guilty merchant. In most cases, consumers never really know what happened to their data.
Even Washington Mutual doesn't know. Just like the consumer, the bank has no control over Visa merchants who leak credit cards, said spokeswoman Libby Hutchinson. She also has no idea how widespread the problem is for Washington Mutual, other than to say the compromise affected "many issuers."
"Sadly, this is very common," she said.
120 million accounts exposed?
Just how common is a source of heated debate in the credit card fraud world, which has always been shrouded in secrecy. But one firm that provides security services to merchants says it's been told by the card associations that last year, 60 million accounts were compromised, and this year, that figure will double to around 120 million.
"And everyone I talk to says that number is conservative," says Julie Ferguson, co-founder of ClearCommerce Corp., which sells products designed to stop data theft. Ferguson also chairs the Merchant Risk Council, which studies credit card fraud and advocates for merchant rights.
Visa, Mastercard and American Express all dispute the numbers as an exaggeration.
"We don't release that kind of data, but that seems way overstated," said Linda Locke of Mastercard. "We will not validate that number. We think that number is incredibly overstated."
But Ferguson says simply adding up news reports about leaked accounts reveals hundreds of compromises and millions of exposed account numbers — and most leaks are never reported.
"I know about a compromise of 1 million records that just happened one month ago," she said. Ferguson claims the card associations themselves as her source for her 120 million. "It's a phenomenal problem, the data security problem. Nobody understands how bad it really is."
Another consultant who works to help merchants secure credit card data, who spoke on condition of anonymity, said he was told 11 million to 12 million account numbers were compromised during a one-month time frame earlier this year.
"You have these large incidents that make the press on a daily basis, but you're seeing smaller breaches that reinforce there's a huge problem," he said. "It's widely known that the trend is getting worse. ... I do think it would be interesting if people understood the magnitude of the problem."
Actual fraud rate dropping
Since January 2000, when the first high-profile Internet-related credit card leak occurred, stories of account compromises have peppered newspapers, television and the Internet to the point of becoming background noise. Banks and credit card associations work fast after a batch of credit cards are leaked; Often, accounts are canceled long before fraud occurs. In fact, Ferguson says that's the silver lining in her research — only about 1 percent of the compromised cards are used for fraud before they are canceled, she said. Gartner researcher Avivah Litan confirms that notion, saying her research shows that the actual incidence of credit fraud has stabilized in the past year, or perhaps has even dipped slightly.
Still, when accounts are compromised, there are hassles for the consumer. Automatic payments and withdrawals no longer work and have to be reauthorized. The new card has to be activated. And there's that uneasy feeling: What else do they know about me?
There's little arguing the size of the problem. This year, both Visa and Mastercard will implement tough new standards on merchants to control the personal data they store on consumers. For example, the standards require implementation of an oft-recommended strategy for protecting data — encrypting stored credit card numbers. That way, even if the data is stolen, it's useless to the thief. Both associations say they will be conducting audits of merchants, and issuing fines for firms that don't comply. Mastercard's Site Data Protection program took effect in June while Visa's Cardholder Information Security Program was implemented on Sept. 30. American Express and Discover are also implementing similar programs.
The trouble is, even the card associations aren't following their rules, says Litan. In discussions with banks and merchants, she's learned that about 50 percent of Visa merchants are getting an exemption from the encryption rule.
“Basically, they are telling merchants they don’t have to encrypt the data as long as they implement what they refer to as mitigating controls,” she said. Many of the exceptions are going to older firms which store data on bulky mainframe computers, where implementing encryption would be costly, she said.
But the real problem, says Ferguson, is smaller merchants who store consumer data but simply haven't paid the money to set up decent security systems. A recent study revealed that nine out of ten merchants implement "do-it-yourself" security, meaning they try to secure their private data on their own. While persuading merchants to hire outside security consultants is in Ferguson's interest, there is no arguing the prevalence of leaked data. Numerous computer security mailing lists have been abuzz recently with descriptions of how easy it is to use the Google search engine to find large caches of credit card numbers sitting unprotected on computers attached to the Internet.
Litan says another element of the problem that's often overlooked is the fact that even merchants who have no consumer Web site can be hacked. Brick-and-mortar grocery stores, for example, can leak credit card data just as an electronic merchant can because even brick-and-mortar retailers store data on computers that are often connected to the Internet in some way. That means the old adage of staying safe by not using a credit card online doesn't really hold water, Litan said.
Analysts are hopeful that the new Visa and Mastercard security rules will have an impact, particularly because financial institutions are increasingly growing impatient with taking the burden for the problem. Reissuing credit cards can cost $20 or more for each consumer, a costly measure when thousands of accounts are compromised. Philadelphia-based Sovereign Bank, for example, told The Associated Press that it had to reissue 81,000 cards twice after the BJ's break-in, at a cost of about $1 million.
There's a customer relations hit, too — Washington Mutual makes clear in its letter to consumers that it's not at fault for the data compromise. Still, the firm has to deal with consumers who make the connection between data leak and the bank anyway, says Hutchinson.
Bob Sullivan is author of the new book Your Evil Twin: Behind the Identity Theft Epidemic.