Stolen records in latest breach were improperly kept

A third-party processing company should not have been keeping records stolen weeks ago by online thieves in a security breach that could have exposed 40 million credit-card numbers to fraud, the company's chief executive officer (CEO) told The New York Times over the weekend after the breach was revealed last Friday.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

The breach may trace back to mid-April when MasterCard International noticed atypical levels of fraudulent charges, according to the Times. The stolen records, which included 200,000 of the 40 million that were potentially compromised, were in a computer file stored for "research purposes" at CardSystems, CEO John M. Perry is quoted as saying in the newspaper.

"We should not have been doing that," the newspaper quotes him saying. "That, however has been remediated." The company no longer stores sensitive data on files, he said. The research the records were saved for involved ascertaining why some transactions were unauthorized or incomplete.

The breach occurred at CardSystems' Tuscon, Arizona, operations center, MasterCard said Friday when it disclosed the incident. MasterCard launched an investigation into the matter, which also is being probed by the U.S. Federal Bureau of Investigation (FBI). The FBI was notified of the breach on May 23, according to a statement from CardSystems. The company has installed improved and additional security procedures that a investigation security assessor recommended, it said in the statement.

Neither MasterCard or CardSystems could be reached for direct comment about the security breach. CardSystems processes transactions for more than 105,000 small to midsized businesses annually, as well as more than $15 billion in yearly transactions for MasterCard, Visa, Discover and American Express and online debit, according to the company Web site. 

Meanwhile, security vendor Secure Computing Inc. found the first phishing scam using MasterCard in the subject line to alarm e-mail users after the breach was revealed. The initial scam seemed hurried as it didn't mention the security breach and may be an old scam making the rounds again. Secure Computing expects scams to continue and to also be more sophisticated in the coming days, specifically referring in subject lines or body text to the latest big-news breach.

"Consumers should definitely be aware," said David Burt, public relations manager for Secure Computing, based in Seattle.

This latest high-profile breach involving a large number of credit-card numbers will undoubtedly figure in upcoming debates in the U.S. Congress, which already has more than 20 bills in the works that deal with identity theft in some way or other.

The public disclosure of the CardSystems breach, even though it was made weeks after it actually occurred, is likely somewhat in response to California's Senate Bill 1386, which deals with privacy and personal information, said Paul Stamp, an analyst with Forrester Inc., in Cambridge, Massachusetts. More such disclosures should be expected, he said.

"These things are going to happen," he said. "They probably always did." The difference now is that the public is demanding accountability.

CardSystems undoubtedly has plenty to answer for. The Times reported that the stolen data wasn't encrypted, and credit card companies gave statements saying that CardSystems wasn't following their proper security requirements. "MasterCard is giving it a limited amount of time to demonstrate compliance," the company said in a statement.