Security Lapse Leaves Millions Open to Fraud

Sift Media
Share this content

“Be careful who you give your personal information to” has become a consumer mantra in recent months. A recent security breach at CardSystems Solutions, however, demonstrates that it is not enough for consumers to safeguard their information. Businesses, too must be vigilant and carefully examine the firms they exchange information with.

CardSystems Solutions processes electronic payments for more than 105,000 small and mid-sized businesses. Every year, it handles Visa, MasterCard, American Express, Discover, online debit and electronic benefit transfer transactions totaling more that $15 billion.

The breach, first detected on May 22, has been traced back to a computer virus that captured customer data at CardSystems Operations and Customer Service Center in Tucson, Arizona. The FBI was notified the following day and investigations are ongoing. According to the Arizona Daily Star, the FBI instructed CardSystems to discuss the breach only on a “need to know” basis. The breach only came to the public's attention when MasterCard revealed that 13.9 million cards may be open to fraud. On Sunday, it was reported by the Chicago Tribune that only 68,000 of these were considered to be at high risk for identity theft.

The breach, estimated at 40 million cards, appears to be the largest breach of financial information identified to date and also affects Visa, American Express, Discover, and MBNA customers, among others.

The Associated Press reports that the data at risk includes names, banks and account numbers. Fortunately, no Social Security numbers appear to have been compromised. In contrast, the Arizona Republic reports that Sharon Gamsin, spokeswoman for MasterCard International Inc., says that card numbers and three-digit security codes were taken but not names, addresses or Social Security numbers.

“People don't need to worry that this is going to lead to ID theft,” Gamsin told the Arizona Republic.

The investigation began, according to the Arizona Daily Star, when several banks detected unusual levels of fraudulent charges and notified MasterCard. MasterCard, in turn, began monitoring the affected accounts for common purchasing points. Eventually the investigation, with help from a forensic accounting firm conducting complex data analysis, focused on a bank receiving spending data from merchants.

“When we started digging into it, working with the bank and working with their systems, we detected it couldn't be them and basically triangulated at the process and arrived at CardSystems Solutions,” John Brady, MasterCard's head of merchant risk services told the Arizona Daily Star.
“CardSystems immediately began a remediation process to ensure all systems were secure. Additionally, we engaged an independent 3rd party to validate systems security,” says a statement on the CardSystems website. “Since that time, concurrent to the investigation proceedings, CardSystems is completing the installation of enhanced/additional security procedures recommended by the security assessor involved in the investigation.”

“Although we don't feel they had adequate protection in place at the time…they have taken significant steps to improve their systems,” Gamsin told the Arizona Republic.

CardSystems is a privately owned business, incorporated in Delaware, with headquarters in Atlanta, Georgia. The company has about 80 employees and has been in business for nearly 20 years according to the Arizona Daily Star.

The Arizona Republic reports that the last major data leak at an Arizona company occurred two years ago when thieves stole computer hard drives containing the medical records and Social Security numbers of more than 500,000 military personnel from the Phoenix office of TriWest Healthcare Alliance.


Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.