Credit card giants MasterCard and VISA are warning banks around the US that a recent major security breach may have compromised a reported 10 million card numbers.
This massive breach within a third-party US-based credit card processor occurred between January 21 and February 25. After several days of staying silent on the matter that the processor, Global Payments Inc., stepped forward to acknowledge the security breach. Global Payments said in the announcement that hackers stole account number and other information that could be used to create counterfeit cards. But the thieves did not get a hold of cardholder names, addresses, or Social Security numbers.
Card-issuing banks have started analyzing the affected cards and possibly alerting card holders and reissuing cards. Law enforcement agencies, including the Secret Service, are investigating the matter. Details about the breach are a little fuzzy at this point as it continues to be investigated.
This is just the latest occurrence of cyber attacks that target financial institutions, businesses, and government agencies. Data breaches occur all of the time. I wrote about two big cyber attacks at Citibank and the International Monetary Fund last year. According to the Identity Theft Resource Center there were 419 data breaches at banks, businesses, and institutions during 2011. Stolen information usually includes credit card numbers, social security numbers, dates of birth, names, and phone numbers.
Data breaches always seem to stir up the same issues and concerns. One big issue is that there is no national standard for when and how banks or other companies report security breaches. It’s rather typical for a business to wait more than a week and up to a month to report the information.
However, 46 states have enacted legislation requiring notification of security breaches. Alabama, Kentucky, New Mexico, and South Dakota still have no such laws. Timing of data breach reporting is a little loose. Some laws only require that companies report the information “as soon as possible.” Also, the reporting of some security breaches can be held up by law enforcement agencies that are conducting criminal investigations.
Companies are often criticized for their lack of urgency when reporting such breaches in security. No doubt that MasterCard, VISA, and the card processor responsible in this case will catch some heat for their one month delay in telling the public about this data theft.