MasterCard International announced that it is notifying its member financial institutions of a breach of payment card data, which potentially exposed more than 40 million cards of all brands to fraud, of which approximately 13.9 million are MasterCard-branded cards. Nearly 70,000 MasterCard account numbers were especially at risk because they were kept in a file exported from CardSystems' database, reported internetnews.com.
MasterCard International's team of security experts identified that the breach occurred at Tucson-based CardSystems Solutions, Inc., a third-party processor of payment card data. Third party processors process transactions on behalf of financial institutions and merchants. Through the use of MasterCard fraud-fighting tools that proactively monitor for fraud, MasterCard was able to identify the processor that was breached. Working with all parties, including issuing banks, acquiring banks, the processor and law enforcement, MasterCard immediately launched an investigation into the breach, and worked with CardSystems to remediate the security vulnerabilities in the processor's systems. These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data.
CardSystems Solutions, Inc., identified (message from June 17, 2005) a potential security incident on Sunday, May 22nd. On Monday, May 23rd, CardSystems contacted the Federal Bureau of Investigation. Subsequently, the VISA and MasterCard Card Associations were notified to alert them of a possible security incident. CardSystems immediately began a remediation process to ensure all systems were secure. Additionally, CardSystems immediately engaged an independent 3rd party to validate systems security. Since that time, concurrent to the investigation proceedings, CardSystems is completing the installation of enhanced/additional security procedures recommended by the security assessor involved in the investigation.
In spite of all security measures implemented by CardSystems Solutions the impact of the incident is horrible. Legislative activity was initiated in USA. Financial institutions all over the world begin to loose costumers' confidence. Moreover the incident put people from different world's end at a risk of data theft. That's why it will be very difficult for law enforcement organizations to cope with international fraud.
“CardSystems Solutions stored all information about credit card transactions unencrypted. In aggregate with weak IT-security measures everyone from inside employee to sophisticated hacker could steal MasterCard and VISA accounts from CardSystems. The incident affected people from North America, Asia and Europe. It's the first data leakage of such a global scale", — commented Denis Zenkin, the Marketing Director of InfoWatch company.
“MasterCard International has made everything to keep its image unaffected, but the reputation of CardSystems Solutions is soiled. It will be very difficult for company to return partners' and customers' confidence, and that is the most dangerous consequence of every private data theft. That's why business should take care of its internal IT-security measures beforehand", — he adds.
Source: MasterCard International, CardSystems, Internetnews.com
