CardSystems Solutions Intrusion Exposes 40 Million Credit Cards

I am stunned by the scale of this story, and I expect to hear it get worse. Yesterday MasterCard International issued a statement that said

"MasterCard International reported today that it is notifying its member financial institutions of a breach of payment card data, which potentially exposed more than 40 million cards of all brands to fraud, of which approximately 13.9 million are MasterCard-branded cards.

MasterCard International's team of security experts identified that the breach occurred at Tuscon-based CardSystems Solutions, Inc., a third-party processor of payment card data."

This AP story mentions "the security breach involves a computer virus that captured customer data for the purpose of fraud" and MasterCard "did not know how a virus-like computer script that captured customer data got into CardSystems' network, which MasterCard said was infiltrated by an unauthorized individual."

The same AP story reports that CardSystems did not expect MasterCard to report the news:

"'We were absolutely blindsided by a press release by the association,' CardSystems' chief financial officer, Michael A. Brady, told The Associated Press when reached on his cell phone."

CardSystems own press release implies they identified the fraud by saying the following:

"CardSystems Solutions, Inc., identified a potential security incident on Sunday, May 22nd. On Monday, May 23rd, CardSystems contacted the Federal Bureau of Investigation. Subsequently, the VISA and MasterCard Card Associations were notified to alert them of a possible security incident."

While researching this event, I found a story from over two years ago that sounds very similar:

"Information was stolen from more than 2.2 million MasterCard International accounts and approximately 3.4 million Visa USA cardholder accounts, according to those companies.

The theft occurred when the system of a company that processes credit card transactions for merchants was broken into.

Neither Visa nor MasterCard would identify the company that was hacked, nor would they provide information on how the theft occurred, citing security concerns."

I imagine MasterCard learned from that event and decided to go public now as a form of damage control.

I agree with this comment in the latter part of the MasterCard press release:

"While Congress continues to consider data breach notification standards, MasterCard urges them to enact wider application of Gramm-Leach-Bliley, the act that includes provisions to protect consumers' personal financial information held by financial institutions.

Currently, GLBA only applies to financial institutions providing services to consumers, including MasterCard. MasterCard urges Congress to extend that application to also include any entity, such as third party processors, that stores consumer financial information, regardless of whether or not they interact directly with consumers."