Lax Security Cited in Massive Credit Card Data Theft

Inadequate security at credit card processor CardSystems Solutions Inc. is being blamed for a break-in that has exposed more than 40 million credit card accounts to potential theft. The company says the system compromise was discovered May 22, after a MasterCard inquiry into a wave of fradulent transactions.

MasterCard International said it "worked with CardSystems to remediate the security vulnerabilities in the processor's systems. These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data." Officials at affected institutions were not specifying the vulnerability and exploit used to breach CardSystems' security. The CardSystems web site runs on the Windows 2000 operating system and Microsoft IIS Server 5.0.

CardSystems, which processes more than $15 billion in transactions a year for 105,000 small businesses, said it "immediately began a remediation process to ensure all systems were secure," the company said in a statement. "Additionally, CardSystems immediately engaged an independent 3rd party to validate systems security."

Third-party testing is critical to the security of the work's online banking and e-commerce systems, but is obviously less valuable if an institution defers it until after an enormous breach has occurred. The CardSystems breach offers a cautionary tale for all institutions handling sensitive financial data. Our interest here should be clearly stated: Netcraft offers a range of advanced security services, including web application security testing and an auditing service to provide onoging detection of new security vulnerabilities and configuration errors caused by system and network maintenance.

But security service providers aren't alone in viewing third-party audits as the weak link in data protection. On Thursday the U.S. Federal Trade Commission mandated third-party audits for BJ's Warehouse Club as part of a settlement resulting from a security incident that exposed customer data. The FTC previously took similar action against Tower Records, Microsoft, Guess and Eli Lilly for leaks of customer information.

Weak security could even invite criminal prosecution, as the FTC found that BJ's lax security was an unfair practice that violated federal law. "This case demonstrates our intention to challenge companies that fail to protect adequately consumers’ sensitive information," said Deborah Platt Majoras, Chairman of the FTC. Banking regulators are focused on this issue as well.

Then there's the potential financial cost. Reissuing credit cards costs the issuer about $10 per card, according to industry sources, suggesting a cost of $400 million to replace the accounts affected by the CardSystems incident. Credit card issuers generally don't replace a card number until evidence of fraudulent transactions is found.

Consumer uneasiness about the security of their data is heightened by suspicions that breaches have been occurring for years without their knowledge. Disclosures of security incidents was rare before the 2003 passage of a California law requiring that customers be notified when their information has been inappropriately disclosed.

The CardSystems breach illustrates the inconsistencies in disclosure policies by credit card providers. While MasterCard made an announcement that 13.9 million of its accounts may have been compromised, as of midday Saturday similar announcements were missing from online newsrooms for Visa, Discover or American Express. Newsreports say accounts at all four providers were affected.