Unauthorized storage of credit and debit card transaction data led to a security breach at third-party credit and debit card processing firm CardSystems Solutions Inc. that potentially exposed 40 million cardholders to risk, according to a report in The New York Times yesterday and The Associated Press.
CardSystems, Tucson, AZ, which claims to process $15 billion in Visa, MasterCard, American Express and Discover transactions annually, said Friday that it had discovered a possible security breach May 22 and had contacted the Federal Bureau of Investigation as well as the Visa and MasterCard card associations.
“CardSystems immediately began a remediation process to ensure all systems were secure,” the company said in a statement. “Additionally, CardSystems immediately engaged an independent third party to validate systems security.”
However, it was a Friday announcement by MasterCard International that revealed 40 million cards were at possible risk including 13.9 million MasterCard-branded cards. According to MasterCard, its security team detected the breach and has directed CardSystems to come into compliance with the firm's security requirements.
CardSystems chief executive John M. Perry told the Times and the AP that about 200,000 records across all card issuers were confirmed as stolen and that the data were being stored by his company without authorization and in violation of the credit card issuers' rules. He said the records were kept for research but that the practice was immediately discontinued. Transactional records include name, account number, expiration date and security code.
MasterCard told the press that 68,000 of its card accounts were identified as high risk because the data were exported from CardSystems.
Even before this breach was revealed, legislators were on their way to crafting several federal bills on data security and identity theft. The U.S. Senate Committee on Commerce, Science & Transportation considered legislative options at a hearing on those topics June 16.
With a potential 40 million cardholders at risk, the CardSystems breach is seemingly the largest that has been made public, though others have included CitiFinancial with 3.9 million customers at risk. Other breaches this year have included data provider ChoicePoint with 145,000 consumers notified of a breach and LexisNexis with 312,000.
Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters