In the largest reported security breach of personal financial information, hackers infiltrated the computers at a Tucson credit card processing center and stole as many as 40 million card numbers, it was disclosed Friday.
MasterCard International said card numbers and expiration dates were harvested by a rogue program planted inside the computer network at CardSystems Inc., one of the firms that process merchant requests for credit card authorization. When a retailer swipes a customer's card, the information goes to companies such as CardSystems for approval before getting passed along to banks.
At least 68,000 accounts have had fraudulent charges posted to them, said MasterCard Vice President Linda Locke. Most credit card companies reverse bogus charges that are reported to them. Social Security numbers and other personal information were not taken.
The attack exposed the numbers of 13.9 million MasterCards and an unknown number of other brands of cards. Atlanta-based CardSystems processes $15 billion in charges annually for MasterCard, Visa USA, American Express, Discover and other cards. Visa did not return a call seeking comment.
"I think all four [of the major card issuers] will be tainted," said Chris Hoofnagle, West Coast director of the Electronic Privacy Information Center, a Washington research group that studies civil liberties in the digital age. "This is the biggest security breach by far."
Hackers and identity thieves from around the world trade and sell pilfered credit card numbers in online chat rooms, making it relatively easy for a single big theft to affect thousands of cards quickly. That also makes it more difficult to catch the culprits.
MasterCard, which uncovered the incursion and announced it Friday, revealed few details about the fraud and how and when it was discovered. The company would not divulge the dollar amount of the fraud uncovered so far or say when the improper charges began.
"Several banks reported atypical patterns of fraud" this week, Locke said. "We traced disparate patterns of fraud back to CardSystems." After security firm CyberTrust Inc. examined the computers there, she said, "we believe that a hacker intruded and installed some malicious code that captured card information."
The FBI is investigating.
MasterCard said CardSystems had not been using industry safeguards at its Tucson processing center, suggesting to analysts that the numbers had not been encrypted for protection. CardSystems did not return calls seeking comment.
