40 million credit cards compromised

June 18, 2005

MasterCard International announced Friday that multiple instances of fraud have been tracked back to CardSystems Solutions, Inc., a company that processes credit card transactions and other payments. Customer names, banks, and account numbers of up to 40 million cardholders have been exposed, of which about 13.9 million are MasterCard-branded cards, the company said. Visa and American Express cards were also affected.

"The breach appears to be the largest yet involving financial data," said David Sobel, of the Electronic Privacy Information Center.

CardSystems issued a statement late on Friday that said it learned of the potential breach 26 days ago, but that the FBI told the company not to advise the cardholders nor the public at large. CardSystems also said their statement had been vetted by the FBI.

A spokesperson for the FBI said that the agency had asked CardSystems not to disclose information that could compromise the investigation, but that it had not asked CardSystems to fail to disclose the breach at all.

Michael A. Brady, C.F.O. of CardSystems, told the Associated Press that "we're absolutely blindsided by a press release by the association," when speaking of MasterCard's release. A MasterCard spokesperson said that the company was obligated to inform its customers of the breach.

MasterCard spokesperson Sharon Gamsin said that CardSystems was hit by a virus-like computer script that stole customer data for the purpose of fraud. She said MasterCard does not know how the script got into the CardSystem network.

Sobel said this theft "indicates that this is a shadowy industry where the consumer never really knows who is going to be handling and using their personal information. Presumably, the affected consumers thought they were dealing with MasterCard." Having a third-party process credit card transactions is common practice in the industry.