The depth of the data theft at CardSystems Solutions Inc. continues to grow after its CEO admitted the company had no business holding onto the 40 million credit card accounts it now admits were compromised recently by computer hackers.
John M. Perry told The New York Times the cardholder data was kept for "research purposes." MasterCard and Visa both require card processors such as the one CardSystems ran in Tucson, Ariz., to expunge that information once it is passed on to the banks. Instead, the Atlanta-based company retained records. "We should not have been doing that," Perry told the newspaper.
The theft came to light after credit card companies asked for a security audit of CardSystems' network following a spike in fraudulent charges on MasterCard and Visa cards processed in Tucson in April and May. A script to capture data, most likely installed via a virus, was discovered by digital forensics experts on May 22. The FBI was called in to investigate a day later.
MasterCard announced the database theft about a month later, on Friday. A CardSystems executive told The Associated Press the company was "absolutely blindsided" by the MasterCard press release in which the company warned that at least 68,000 account numbers had been exported by thieves. News accounts say 20 million accounts accessed in the massive database were Visa customers and almost 14 million owned MasterCard cards. The remaining 6 million were Discover or American Express cardholders. Company officials emphasized no Social Security numbers were on the cards to assist in identity theft. But fraud is another story.
Some say the 40 million accounts now at risk make CardSystems' attack the largest database hack to date. But it's just the latest in a litany of major companies to acknowledge security lapses that now have consumers, employees and clients scrambling to protect themselves against cybercrime. In fact, 14 companies have been forced to tell the public that private data had been exposed due to lapses in physical and logical security. Some, such as at Alpharetta, Ga.-based ChoicePoint Inc., involved social engineering by conmen; others, like Time Warner and Bank of America, included unencrypted backup tapes lost or stolen in transit.
"The steady stream of these disclosures shows the pressing need for regulation of the industry both in terms of limitation in the amount of personal information that companies collect and also liability when these kinds of disclosures occur," the Electronic Privacy Information Center's general counsel, David Sobel, told the AP when the attacks were first publicized. At least four bills related to consumer data privacy are floating around Congress at the moment.
Note: This story originally appeared on our sister site, SearchSecurity.com.