The epidemic of information theft, leakage, and loss continued this past weekend with the announcement by MasterCard that 40 million credit card accounts had been compromised. The breach – as always attributed to hackers first, although this may be later clarified – affected almost 14 million MasterCard accounts, with the rest belonging to Visa and other companies. The lapse in security was at a third-party processing facility (CardSystems Solutions Inc), not MasterCard itself.

The latest twist in this story, just being reported this morning, is that the third-party processing company is now admitting that they were breaking rules established by Visa and MasterCard regarding information storage. Consumer records were being stored for ‘research purposes’, according to the company’s CEO; the CEO explicitly states that “we should not have been doing that” (first reported by The New York Times). The same article also reports that CardSystems Solutions was storing the 3/4-digit verification codes that are supposed to heighten credit card security in online purchases. The presence of that information can “double or triple the black-market value of a cardholder’s account” – even more reason to question the company’s unnecessary data storage practices.

Sen. Patrick Leahy, D-Vt, has thus far made the most telling statement regarding the recent state of affairs: “It’s the Wild West out there … The handling of electronic data is weighed so heavily to the convenience of the corporate world at the expense of consumers” (quoted from this USA Today article).

The same USA Today article specifies the information that was exposed by the security lapse: card holder names, account numbers, security codes and expiration dates. As of now, MasterCard is still maintaining that no identity theft-type information (such as SSNs) was being stored by CardSystems Solutions. However, given today’s admission by that company’s CEO, who knows what other rules were being broken with regards to information-handling procedures.

The other interesting slant to this story is the way in which the news broke. MasterCard first announced the security lapse, despite the fault lying with a third-party credit card processing facility. The other major credit card companies – Visa, American Express, and Discover – all avoided comment at first. While MasterCard cited its personal obligation to report potential risk to consumers, other companies either remained silent or deflected questions by using the ‘ongoing investigation’ shield. If MasterCard was able to alert its 14 million consumers to the risk of credit card fraud, why weren’t the vendors encompassing the other 26 million willing or able to do the same? This Houston Chronicle article covers the reactions of each major credit card company; notice the openness of MasterCard versus the defensive PR positions of the other major players.

This entry was posted by Paul Otto (pnotto@ncsu.edu) on Monday, June 20th, 2005 at 7:54 am and is filed under Identity Theft. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Note: Blog posts are the opinions of their authors and do not reflect the official opinion of the National Science Foundation or North Carolina State University.