System vulnerabilities at CardSystems Solutions, a payment card processor, allowed an intruder to break into the network and access cardholder data, MasterCard International said Friday. The incident exposed more than 40 million cards of all brands to fraud, including 13.9 million MasterCard branded cards.
The breach represents a high-tech version of "skimming," in which criminals used a small device to snatch information from the magnetic strips on the back of credit cards, said Tom Kelly, a senior investigator at the private investigations division of Stroz Friedberg, a computer forensics and technical services firm.
Next-generation skimming involves attacking servers that process credit-card transactions, collecting account data and then selling that information to people who use it to create counterfeit cards or to make purchases, he said.
"This is very unique to crime groups in Eastern Europe," said Kelly, who has more than 25 years of investigating credit-card and fraud. "It has been going on for years. They're very well organized."
Taking advantage of the vast size of the credit-card breach would require the resources of organized crime, said Chris Noell, vice president of business development at managed security firm Solutionary.
"This market has become supremely efficient... To profit from your crime as a hacker you don't have to conduct the fraud yourself. You can sell the information to those who will take it to the next step and figure out a way to turn those numbers into cash or merchandise," he said.
The breach also demonstrates the importance of a good incident response plan, Noell added. It appears that MasterCard, CardSystems and Visa had been dealing with the incident for a while before it became public, yet they have provided varying accounts of what happened, he said.
MasterCard said Friday that it has given CardSystems a "limited amount of time to demonstrate compliance" with its security requirements. Noell said CardSystems likely will be found noncompliant and will be fined by MasterCard, but that will be the least of its problems.
"We always advise clients to forget about the fines... Half a million is a lot of money, but it's nothing compared to the reputational hit and lost business [in the event of a breach]," he said.
CardSystems could not be immediately reached for comment on Monday. A MasterCard spokeswoman said CardSystems was in violation of MasterCard's strict data security rules for protecting cardholder information but declined to elaborate.
MasterCard and Visa require companies that handle credit-card data comply with their Payment Card Industry (PCI) Data Security Standard. Noell said merchants and others are trying their best to comply.
"This is an incredibly complex industry and trying to get everyone up to a certain standard of security is quite an undertaking," he said.