Krebs on Security, a security news and investigation site, is reporting that both VISA and MasterCard are warning banks of a security breach at a U.S. credit card processor. The breach is said to be 'massive' with as many as 10 million card numbers possibly compromised.
The alerts began going out late last week, but the actual security breach happened between January 21 and February 25 of this year. Banks were told that "full Track 1 and Track 2 data was taken," which is enough information to counterfeit new credit cards.
Only MasterCard is speaking out so far. "As a result, we have alerted payment card issuers regarding certain MasterCard accounts that are potentially at risk," the company said to NewsCore, according to the New York Post.
According to the Wall Street Journal, a MasterCard spokesperson said, "MasterCard's own systems have not been compromised in any manner."
VISA has not issued any statements, and there is no word yet on which card processor was compromised. Krebs stated that banks are analyzing transaction data to determine any commonalities in purchased made on the compromised cards.
From the Krebs article:
Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area.
It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised. PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed.
Yesterday I shared an infographic on the largest hacking scandals in the past decade. Financial institutions must be hoping this latest one is dealt with swiftly and with a minimum of disruption to the financial industry.
(via Krebs on Security)