Firm says up to 40m credit card files stolen
MasterCard points to computer virus
In one of the biggest identity thefts ever, as many as 40 million credit card numbers have been stolen from an Atlanta credit card processing firm, according to MasterCard International, and some of the stolen numbers have already been used to make fraudulent purchases.
MasterCard said yesterday that criminals used a computer virus to collect vast amounts of financial data moving through the company's computer network and estimated that 13.9 million of its accounts may have been stolen. Thieves also had access to millions of cards issued by Visa and Discover, as well as some
''This illustrates that consumers don't have control over their personal sensitive information, and that has to change," said Susanna Montezemolo, policy analyst for Consumers Union, which publishes Consumer Reports magazine. Consumers Union is calling for states and the federal government to require companies to notify customers if their personal data have been breached. Current laws leave it largely up to the discretion of the company to determine whether to alert consumers. Banks, however, adhere to a stricter standard: banking regulators in March issued guidance to banks telling them that they should notify consumers if the data have been misused or if it is ''reasonably possible" that they will be.
Credit card issuers say the theft poses little direct risk to customers, because cardholders do not have to pay for fraudulent charges on their accounts. MasterCard International also said that the stolen data did not include Social Security numbers or birthdates. These can be used by criminals to create fake identities and open new credit card accounts, which can ruin a victim's credit rating.
Still, the card companies said that cardholders should carefully examine their monthly statements to spot phony charges. Consumers should also regularly obtain copies of their credit reports, which will also indicate fraudulent activities. Information on how to obtain the reports is available from the Federal Trade Commission website, at www.ftc.gov.
US Representative Barney Frank, Democrat of Newton, said the credit card issue yesterday reinforces the need to mandate that companies give more notice to consumers if their personal financial information is lost or stolen.
Such notification would publicly embarrass the companies and force them to be more careful, said Frank, the ranking member of the House Committee on Financial Services. ''Their argument is, 'we don't want to clog people's mailboxes.' Coming from the financial services industry, that is the silliest thing you ever heard."
The latest data theft occurred at CardSystems Solutions Inc., which operates a data network for merchants that can process thousands of transactions per second.
MasterCard International, one of the largest credit card management firms, said it discovered a security breach at CardSystems during a routine audit conducted earlier this spring. MasterCard security specialists found that a CardSystems computer had been infected with a program that collected credit card data and transmitted it over the Internet to an unknown destination.
In a statement issued late yesterday, Bill Reeves, CardSystems senior vice president of marketing, said his company, not MasterCard, discovered the breach on May 22. The next day, said Reeves, CardSystems contacted the FBI, then notified Visa and MasterCard. ''We are sparing no effort to get to the bottom of this matter," Reeves said.
MasterCard said that its examination of CardSystems computers found that information had been copied from a database containing 40 million account numbers from a variety of credit card brands. It also found that the CardSystems network had been infected sometime late last year, meaning that the data thieves had been able to collect credit card numbers for several months before the breach was detected.
The investigators found that some of the stolen card numbers have been used illegally. ''We are aware of some fraud from the data that's been taken," said Jessica Antle, spokeswoman for MasterCard International. She added that the thieves had used very few of the stolen account numbers so far.
A spokeswoman for Discover Financial Services Inc. could not say whether any Discover cards were affected. She said the company was working with law enforcement officials to investigate the matter. A spokeswoman for American Express said that CardServices processes only about one-tenth of 1 percent of all American Express card transactions. Nevertheless, she said the company was investigating the breach.
About 22 million Visa cards were ''potentially compromised" by the infractions disclosed yesterday, said Rhonda Bentz, a spokeswoman for Visa USA, the largest credit card organization.
Former federal prosecutor Mark Rasch, chief technical counsel for computer security firm Solutionary Inc., was surprised by the scale of the crime. ''It's not surprising that there's a breach," Rasch said. ''It is surprising that there's this large a breach." Rasch said that the data-stealing computer virus should have been quickly detected if CardSystems ran regular virus scans.
Identity theft became a high-profile issue early this year, when database company
US Representative Edward Markey, Democrat of Massachusetts, said the MasterCard announcement was just the latest demonstration that American businesses are not doing enough to protect customer data.
''Today's announcement only underscores the need for new federal legislation to protect American consumers," he said.
Globe wire services were used in this story. Hiawatha Bray can be reached at bray@globe.com, Sasha Talcott at stalcott@globe.com. 
© Copyright 2006 Globe Newspaper Company.
