Recriminations flew on Monday over the biggest data breach in United States history as the theft of private information on more than 40-million credit card holders spread to Japan and Hong Kong.
Calls mounted for government intervention after an Arizona processing company at the centre of the breach, CardSystems Solutions, admitted it had retained information on Visa and MasterCard customers improperly.
About 22-million affected customers are Visa holders and nearly 14-million are with MasterCard, according to company figures.
American Express and Discover holders were also hit, but in far smaller numbers.
CardSystems chief John Perry told the New York Times that information on 40-million customers had been compromised, and data on about 200 000 had actually been stolen.
He said the data had been retained by his company for research purposes even after transactions were completed, contrary to rules set by Visa and MasterCard.
”We should not have been doing that,” he said.
But with regard to the sensitive data, ”we no longer store it on files”, he said.
MasterCard and Visa said CardSystems had flouted their security strictures, but played down the risk to consumers.
”We work very hard to ensure that account numbers are kept as securely as possible,” Visa International spokesperson Farnaz Khadem said.
”But when theft does occur, there are multiple systems in place to ensure that fraud does not take place,” she said.
In Japan on Monday, financial company UFJ Card said some of its credit card holders had fallen victim to illegal transactions ensuing from the data theft.
Other Japanese credit card firms linked to MasterCard, including issuers of Nippon Shinpan, DC Card, OMC Card, UC Card and NICOS Card, also reported that their customer information might have been leaked because of the breach.
In Hong Kong, Standard Chartered, HSBC, Bank of China, Hang Seng Bank and Bank of East Asia said Visa and MasterCard had informed them that private information on a ”small number” of their customers had been leaked.
MasterCard said on Friday the breach occurred when ”an unauthorised individual” infiltrated the CardSystems network. CardSystems said it had informed the Federal Bureau of Investigation on May 23 of a potential security problem.
”We understand and fully appreciate the seriousness of the situation. We are sparing no effort to get to the bottom of this matter,” the firm said in a statement.
The case was the latest and largest in a series of security breaches of customer data that open up the possibility of identity theft in the United States.
Citigroup said last week it lost computer tapes containing personal banking data on 3,9-million customers.
Last month, police said arrests had been made in the theft of data of more than 700 000 account holders held in four major US banks.
Democratic Senator Charles Schumer, who is sponsoring comprehensive legislation to deal with identity theft, said the CardSystems incident was the last straw.
”Consumers’ personal and financial data has become the gold of the 21st century and we need to protect it accordingly,” he said.
MasterCard assured its customers that the theft at CardSystems had not compromised social security numbers, which are a de-facto national identification code in the United States and thus the holy grail for hackers.
Susanna Montezemolo of the Consumers Union organisation said that nevertheless, the incident was serious enough.
”Regardless of what information was stolen, this incident should serve as a wake-up call for lawmakers to give consumers stronger tools to protect themselves,” she said. – Sapa-AFP