CardSystem Solutions, 40,000,000 CC, hacker
The New York Times (and probably everyone else) is reporting that “MasterCard Says 40 Million Files Are Put at Risk.”
MasterCard said its investigation found that CardSystems, in violation of MasterCard’s rules, was storing cardholders’ account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the bank handling the merchants’ transactions but not retained by CardSystems.
CardSystems, being a bank, has not yet gotten the message that the rules have changed, and there’s no message on their homepage.
You and I have no way to protect ourselves from this. Shredding your statements doesn’t make a difference. You can’t ask a store clerk “Who’s your credit card acquirer?” (Well, you can, and they are unable to tell you. They know, at best, “swipe and check signature.” They have no idea what happens behind that.)
Congress needs to step in to regulate these industries who take these risks with our personal information, where we can’t protect ourselves, negotiate, or even know that the company exists.
[Update: Bob Sullivan has an analysis at “40 million credit cards exposed,” and Slashdot has a story with a roundup in the summary. Chris Walsh covers my back with the irony and sarcasm at “Prepare for the onslaught of “priceless” jokes. Richard Bejtlich has some insightful comments in “Cardsystems Solutions Intrusion Exposes 40m CC, including catching this quote from Mastercard’s press release about GLBA, the fancy new bank “privacy” law:
Currently, GLBA only applies to financial institutions providing services to consumers, including MasterCard. MasterCard urges Congress to extend that application to also include any entity, such as third party processors, that stores consumer financial information, regardless of whether or not they interact directly with consumers.”
And with that, I’m going to be paying attention to the most excellent practical attacks on prox cards talk here at REcon, and missing some additional blog posts on this.]