More than 13,000 New Zealand credit card holders are being warned to check their statements following the discovery that thieves had managed to access data on up to 40 million credit card transactions.
Card holders who shopped at U.S. stores or online at U.S.-based websites between September 2004 and June 2005 are being told to check their statements carefully and to contact their banks should anything unusual show up.
As Computerworld reported yesterday, Arizona-based processing company CardSystems Solutions had stored the card transaction details without authorization. According to The New York Times, hackers managed to install a trojan on the system storing the card transactions and steal data on at least 200,000 accounts although up to 40 million accounts were exposed.
Visa has announced that up to 12,000 cards issued by New Zealand banks are included in that 40 million total. Of that 12,000, Visa says around 94 percent of the data was not compromised.
"Even for the 6 percent remaining, a combination of fraud detection systems installed by Visa and its issuers means that there is no automatic link between accounts at risk and subsequent fraud."
MasterCard says up to 1,000 of its New Zealand customers are included in the 200,000 accounts that were stolen and that those customers have had their cards blocked and new cards issued instead. Both companies say any fraudulent activity that is discovered on cards as a result of this security breach won't result in any fees being charged to the cardholders, who are typically liable for the first $50 of any such fraud. Other credit and debit cards are also suspected to have been breached although MasterCard and Visa make up the vast majority of the cards involved.
Perhaps predictably, internet fraudsters have been quick to attempt to cash in on uncertainty surrounding the theft of the card numbers. Security vendor Secure Computing says it found the first phishing scam using MasterCard in the subject line to alarm email users after the breach was revealed.
Phishing emails attempt to trick the recipient to provide valuable information, such as credit card details, by purporting to be an official email from a trusted organization such as a bank.
The initial scam seemed hurried as it didn't mention the security breach and may be an old scam making the rounds again. Secure Computing expects scams to continue and to also be more sophisticated in the coming days, specifically referring in subject lines or body text to the latest big-news breach.
"Consumers should definitely be aware," says David Burt, public relations manager for Secure Computing.
The public disclosure of the CardSystems breach, even though it was made weeks after it actually occurred, is likely somewhat in response to California's Senate Bill 1386, which deals with privacy and personal information, says Paul Stamp, an analyst with Forrester. More such disclosures should be expected, he says.
"These things are going to happen," he says. "They probably always did."
The difference now is that the public is demanding accountability, he says.
CardSystems undoubtedly has plenty to answer for. The Times reported that the stolen data wasn't encrypted, and credit card companies gave statements saying that CardSystems wasn't following its proper security requirements. "MasterCard is giving it a limited amount of time to demonstrate compliance," the company said in a statement.
The breach may trace back to mid-April when MasterCard International noticed atypical levels of fraudulent charges, according to the Times. The stolen records were in a computer file stored for "research purposes" at CardSystems, CEO John M. Perry is quoted as saying in the newspaper.
"We should not have been doing that," the newspaper quotes him saying. "That, however has been remediated."
The company no longer stores sensitive data on files, he says. The research the records were saved for involved ascertaining why some transactions were unauthorized or incomplete.
The breach occurred at CardSystems' Tucson, Arizona, operations center, MasterCard said when it disclosed the incident on Friday. MasterCard has launched an investigation into the matter, which also is being probed by the U.S. Federal Bureau of Investigation. The FBI was notified of the breach on May 23, according to a statement from CardSystems, but customers are only now being informed and told to contact their banks.