YOU ARE HERE: LAT HomeCollections


Hackers Tap 40 Million Credit Cards

The network is breached at a firm that handles merchant transactions. Nearly 70,000 bogus charges are seen. Credit scores may be at risk.

June 18, 2005|Joseph Menn | Times Staff Writer

In the largest reported security breach of personal financial information, hackers infiltrated the computers at a Tucson credit card processing center and stole as many as 40 million card numbers, it was disclosed Friday.

MasterCard International said card numbers and expiration dates were harvested by a rogue program planted inside the computer network at CardSystems Inc., one of the firms that process merchant requests for credit card authorization. When a retailer swipes a customer's card, the information goes to companies such as CardSystems for approval before getting passed along to banks.

At least 68,000 accounts have had fraudulent charges posted to them, said MasterCard Vice President Linda Locke. Most credit card companies reverse bogus charges that are reported to them. Social Security numbers and other personal information were not taken.

The attack exposed the numbers of 13.9 million MasterCards and an unknown number of other brands of cards. Atlanta-based CardSystems processes $15 billion in charges annually for MasterCard, Visa USA, American Express, Discover and other cards. Visa did not return a call seeking comment.

"I think all four [of the major card issuers] will be tainted," said Chris Hoofnagle, West Coast director of the Electronic Privacy Information Center, a Washington research group that studies civil liberties in the digital age. "This is the biggest security breach by far."

Hackers and identity thieves from around the world trade and sell pilfered credit card numbers in online chat rooms, making it relatively easy for a single big theft to affect thousands of cards quickly. That also makes it more difficult to catch the culprits.

MasterCard, which uncovered the incursion and announced it Friday, revealed few details about the fraud and how and when it was discovered. The company would not divulge the dollar amount of the fraud uncovered so far or say when the improper charges began.

"Several banks reported atypical patterns of fraud" this week, Locke said. "We traced disparate patterns of fraud back to CardSystems." After security firm CyberTrust Inc. examined the computers there, she said, "we believe that a hacker intruded and installed some malicious code that captured card information."

The FBI is investigating.

MasterCard said CardSystems had not been using industry safeguards at its Tucson processing center, suggesting to analysts that the numbers had not been encrypted for protection. CardSystems did not return calls seeking comment.

"There's no excuse for this," said Avivah Litan, a Gartner Inc. expert on the security of financial data. "This takes the cake."

MasterCard's revelation is the latest in a series of reported data breaches that began this year with word that identity thieves had accessed sensitive information on at least 145,000 people tracked by data broker ChoicePoint Inc. Major security lapses also have been disclosed at LexisNexis, Bank of America Corp. and, most recently, Citigroup Inc., which said the financial information of 3.9 million customers was lost by United Parcel Service Inc.

The reports, spurred by a California law requiring notification of consumers put at risk, have driven a spate of congressional hearings and proposals for tighter regulation. On Thursday, for instance, a Senate panel heard members of the Federal Trade Commission call for a national disclosure law and mandatory encryption.

Several members of Congress said the latest incident underscored the need for legislation to tighten the control on personal information. Some legislators have proposed banning the sale of Social Security numbers, except to help law enforcement. Various proposals are working through the House and Senate.

"Hardly a week goes by without startling new examples of breaches of sensitive personal data reminding us how important it is to pass a comprehensive identity-theft prevention bill in Congress quickly," said Sen. Charles E. Schumer (D-N.Y.), who has sponsored a consumer data protection law.

MasterCard said it would support applying stricter rules to credit card processors.

As typically happens when credit card information is stolen, MasterCard is leaving it up to the banks that issued the cards to warn the cardholders. It declined to name the banks.

Those banks usually don't pass the information along because most pilfered numbers don't get used and because issuing new cards, as many customers would demand, can cost $35 or more each. If all 40 million cards were replaced, that might cost more than $1 billion.

"They could contain the damage," Litan said. "All they need to do is put a stop on those cards and issue new ones. But of course they won't do that because it costs too much money."

All credit card holders should carefully review their statements because they will be reimbursed only if they report errant charges. And some consumer advocates recommend requesting a new card as a matter of course as often as every six months to guard against fraud.

Los Angeles Times Articles