Major Card Vendors Stay Mum on Data Breach

[David Farber <dave () farber net>]

Begin forwarded message:

From: Randall <rvh40 () insightbb com>
Date: June 22, 2005 1:37:16 AM EDT
To: JMG <johnmacsgroup () yahoogroups com>
Cc: Dave <dave () farber net>
Subject: Major Card Vendors Stay Mum on Data Breach


http://tinyurl.com/dek5x

Major Card Vendors Stay Mum on Data Breach
June 20, 2005

By Paul F. Roberts
Three days after MasterCard International revealed details of a massive
hack at third-party credit card transaction processor CardSystems
Solutions, little is known about how CardSystems' network was
compromised, and most major credit card issuers are keeping mum about
how many of their customers were caught up in the breach.

The hack, which may be the largest reported incident of data theft to
date, is focusing attention on lax security at CardSystems Solutions
Inc. and other third-party processors, which are not tightly monitored,
despite processing millions of sensitive credit card transactions each
year.

MasterCard on Friday said it was notifying its member financial
institutions of a data breach at CardSystems after the company, working
with forensic investigators from MasterCard, identified a potential
security incident on May 22.


More than 200,000 credit card accounts, out of 40 million, are believed
to have been exposed in the theft. CardSystems acknowledged in published
reports that it was improperly storing the accounts on its network for
research purposes.

In a statement Friday, CardSystems said it is installing additional
security procedures recommended by a security assessor involved with the
investigation.

MasterCard said that about 68,000 of its customers' accounts were put at
"high risk" by the compromise, out of 13.9 million MasterCard
cardholders who had transactions processed by CardSystems.

The company is working with member banks of specific accounts exposed in
the attacks, according to Linda Locke, vice president of global
communications at MasterCard International.

But spokespeople for Visa and American Express declined to provide
information on how many of their customers were affected, citing the
ongoing investigation into the breach and insufficient information.

In an e-mail statement, Visa said it has not yet detected any unusual
fraud patterns on Visa cards resulting from the security breach at
CardSystems, but that it is respecting the request of law enforcement to
keep information regarding the investigation confidential.

Click here to read about MasterCard's plan to crack down on phishing.

American Express said it is continuing to "monitor" the CardSystems
situation and is not ready to disclose how many cardholder accounts
might have been exposed, according to Christine Elliott, a company
spokeswoman.

Only a small number of its merchants used CardSystems, and only one half
of one percent of the company's traffic goes through CardSystems, she
said. But Elliott did not discount that American Express accounts may
have been compromised, given the size of the attack.

Locke, of MasterCard, said she couldn't speculate on why hers was the
only credit card company to go public with information on the breach,
but said she wasn't aware of any request by law enforcement to keep
information on the number of exposed accounts secret.

"We haven't released anything that we believe would compromise any
investigation," she said "We work carefully with the FBI, and I think
they've said publicly that they think consumers should be warned."

The FBI declined to comment on the case, citing the ongoing
investigation.

Regardless of when, or whether, consumers find out about their accounts,
more scrutiny needs to be given to companies such as CardSystems,
according to Mike Gibbons, vice president of federal security services
at Unisys.

"The question is, 'Has this happened in the past?' Are businesses
learning from these events?" he said.

The theft of credit card data from BJ's Wholesale Club is part of a
growing trend. Click here to read more.

While companies that handle sensitive data may have shored up their own
network defenses, they often fail to follow the data trail and consider
the security of third-party companies they partner with, Gibbons said.

"My sense is that companies haven't thought this through from a
protection point of view—they haven't done real clear thinking about how
to protect sensitive data and what do when incidents occur," he said.

MasterCard said it intends to take a "close look" at third-party
processors and is recommending that the U.S. government expand the reach
of data privacy laws such as Gramm-Leach-Bliley to cover third-party
processors that deal directly with consumers, Locke said.

While the current breach appears to be limited to CardSystems, Gibbons
said the types of data security lapses that were revealed at that
company are common, and he wouldn't be surprised if revelations about
similar incidents at other companies follow.

"The question isn't whether the sky is falling. The sky has already
fallen. The question is whether or not a piece of it hits you in the
head," he said.

Check out eWEEK.com's Security Center for the latest security news,
reviews and analysis. And for insights on security coverage around the
Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's
Weblog.




--
My aim is to agitate and disturb people. I'm not selling bread, I'm
selling yeast. -Miguel de Unamuno, writer and philosopher (1864-1936)





-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/