40 million credit cards compromised

According to Out-Law.com, the breach, which was initially detected in late May and confirmed two weeks ago, has been kept under wraps at the request of the FBI. Security vulnerabilities in the systems of CardSystems Solutions allowed a hacker to infiltrate the network and access cardholder data, potentially exposing them to the risk of fraud. Around 13.9 million of the cards are MasterCard-branded, and a reported 22 million Visa cards may also have been compromised. American Express and Discover cardholders are also thought to be affected. According to reports, 68 000 MasterCard cardholders have already found fraudulent charges on their accounts. Full Out-Law.com report

SA Visa and MasterCard clients should know today if they were among the accounts compromised. According to a Finance24 report the local offices of both companies say they are still waiting for the breakdown by world region and country. Visa SA spokesperson Zubeir Shah is quoted as saying about 30 000 accounts located in the Central Europe, Middle East and Africa region, which includes this country, have been compromised. Full Finance24 report

MasterCard said that it is giving the third-party processor a limited amount of time to comply with MasterCard security requirements, reports InternetNews. In addition, MasterCard has reiterated its desire that Congress enact a wider application of the Gramm-Leach-Bliley Act, which includes provisions to protect consumers\' personal financial information held by financial institutions. Currently the Act applies only to financial institutions that service consumers but MasterCard said it would like Congress to extend that application to include any entity, such as third party processors like CardSystems that store consumer financial information. Full InternetNews report

This security breach shows how online criminals are ‘scoring big by thinking small’, according to an ITWeb report. Increasingly cyber criminals are crafting more focussed attacks with a potential for profit by targeting one or two companies at a time, rather than blasting out virus attacks, according to security experts. In terms of the CardSystems breach, the attacker apparently placed a malicious computer script on the company’s computers. This type of attack is becoming increasingly common. According to Mark Sunner, of MessageLabs, since January the company has seen a 150% increase in attacks that targeted only one or two companies. Targeted attacks have the key advantage of being small enough to stay off the radar of Internet security firms that are on the lookout for broader attacks. This gives the criminals the time to research a company thoroughly before trying to penetrate it. Full ITWeb report

The online trade in credit card and bank account numbers has become highly structured and sophisticated, according to The New York Times. While the players are situated globally, most of the Web sites where they meet are run from servers in the form Soviet Union, making them difficult to police. The Federal Trade Commission estimates that roughly 10 million Americans have their personal information pilfered and misused in some way or another every year, costing consumers $5bn and businesses $48bn annually. Full report in The New York Times

This announcement follows a wave a other highly publicised consumer privacy breaches, reports E-Briefs. These include the loss of backup tapes by the Bank of America, the loss of 145 000 customers’ personal information to identity thieves at data broker ChoicePoint and the loss of personal information relating to 3.9 million customers of a CitiGroup subsidiary, reports Out-Law.com. Given the growing public pressure to enact laws to protect consumer data, the US Senate opened a series of hearings last week on legislative solutions to data breaches and identity theft. Just before the first hearing, Entrust released the results of a survey that showed 71% of Americans believe new laws are needed to protect consumer privacy on the Internet. According to the survey, 97% of respondents rate identity theft as a serious problem, with 48% saying they now avoid online purchases out of fear of their financial data being stolen, reports InternetNews. Entrust CEO Bill Conner urged Congress to enact a uniform national breach notification law for unauthorised acquisition of unencrypted personal information. Full InternetNews report

At the Senate hearing, US Federal Trade Commission Chairperson Deborah Majoris detailed a settlement the agency had made with BJ’s Wholesale Club, which the FTC had charged failed to take adequate measures to protect consumers’ personal information, reports InternetNews. According to the FTC complaint, BJ’s failed to encrypt consumer information when it was transmitted or stored on the company’s computers and created unnecessary risks by storing data even when it no longer needed the information. In addition, the FTC alleges BJ\'s failed to use readily available security measures to prevent unauthorised wireless connections to its networks and failed to take sufficient measures to detect unauthorised access. The settlement requires BJ’s to implement a comprehensive information security programme while submitting to third-party security audits every year for 20 years. Full InternetNews report