More than 40 million credit-card numbers belonging to U.S. consumers were accessed by a computer hacker at a card-processing center and...

Share story

More than 40 million credit-card numbers belonging to U.S. consumers were accessed by a computer hacker at a card-processing center and are at risk of being used for fraud, MasterCard International said yesterday.

MasterCard officials said all credit-card brands were affected by the breach, the largest of its kind, including 13.9 million cards bearing the MasterCard label. The company said American Express, Discover, Visa and other brands also were affected. A spokeswoman for Visa confirmed that 22 million of its card numbers may have been breached, but Discover Financial Services said it did not know if its cards were affected.

MasterCard officials said consumers are not held responsible for unauthorized charges on their cards.

MasterCard International said names, card numbers and expiration dates were harvested by a rogue program planted inside the computer network at CardSystems Solutions, one of the companies that process merchant requests for credit-card authorization. When a retailer swipes a card, the information goes to companies such as CardSystems for approval before being passed along to banks.

Atlanta-based CardSystems processes $15 billion in charges annually for MasterCard, Visa, American Express, Discover and other cards.

Fake charges have been posted to at least 68,000 accounts, MasterCard Vice President Linda Locke said. Most credit-card companies reverse fraudulent charges reported to them.

Social Security numbers and other personal information were not taken.

What to do

How to know if you are affected: MasterCard leaves it up to the banks that issued the cards to warn cardholders, so review bills carefully. Cardholders can also check charges by calling the credit-card company or checking balances online.

If you are affected: Alert the credit-card company; you will be reimbursed only if you tell the company.

The law: Under federal law, credit-card holders are liable for no more than $50 of unauthorized charges, and many card issuers will waive the $50.

Source: The Los Angeles Times and The Associated Press

“I think all four [of the major card issuers] will be tainted,” said Chris Hoofnagle, West Coast director of the Electronic Privacy Information Center. “This is the biggest security breach by far.”

Hackers and identity thieves trade and sell pilfered credit-card numbers in online chat rooms, making it relatively easy for a single big theft to affect thousands of cards quickly.

MasterCard, which uncovered the incursion, would not divulge the dollar amount of the fraud uncovered or say when the improper charges began. “Several banks reported atypical patterns of fraud [this week],” MasterCard’s Locke said. With the help of security company CyberTrust, she said, “We traced disparate patterns of fraud back to CardSystems.” After examining the computers there, she said, “We believe that a hacker intruded and installed some malicious code that captured card information.”

The FBI is investigating.

MasterCard and Visa said CardSystems hadn’t been using industry safeguards at its Tucson, Ariz., processing center, suggesting to analysts that the numbers had not been encrypted.

In a written statement, CardSystems said it discovered the breach May 22 and notified the FBI the next day.

“There’s no excuse for this,” said Avivah Litan, an expert on the security of financial data. “This takes the cake.”

MasterCard’s revelation is the latest in an outbreak of reported data breaches that began this year with word that identity thieves had accessed sensitive information on at least 145,000 people tracked by data broker ChoicePoint. Major security lapses also have been disclosed at LexisNexis, Bank of America and Citigroup.

As typically happens when credit-card information is stolen, MasterCard is leaving it up to the banks that issued the cards to warn the cardholders. It declined to name the banks.

Those banks usually don’t pass the information along because most pilfered numbers don’t get used and issuing new cards, as many customers would demand, can cost $35 or more apiece. If all 40 million cards were replaced, that might cost more than $1 billion.

“They could contain the damage,” Litan said. “All they need to do is put a stop on those cards and issue new ones. But of course they won’t do that, because it costs too much money.”

All credit-card holders should review their monthly bills carefully; they will be reimbursed only if they bring the matter to the company’s attention.

Under federal law, cardholders won’t be liable for more than $50 in fraudulent charges they report, but they risk damage to their credit record and hours spent straightening things out.

Without mass replacement of the credit cards, the biggest financial losers could be retailers. The credit-card associations hold merchants responsible for most fake charges, even though they and their member banks often don’t share their watch-lists of compromised cards.

Financial data processors are obvious targets for hackers. In what might have been the largest previously known breach of credit-card data, 8 million numbers were taken from a similar firm, Data Processors International, in 2003.

But Dan Clements, chief executive of, a privacy-protection organization, said financial institutions lack incentive to take more responsibility.

Not only do credit-card companies and banks that issue cards bear no losses for fraudulent purchases, but banks charge merchants for reversing unauthorized charges. “It’s a revenue stream for them,” Clements said.

Material from The Washington Post is included in this report.