« Notice Much Delayed: The FDIC Data Security Breach | Main | News Reporting »

Saturday, June 18, 2005

Data Security Breach Supersized: 40 Million People Affected

Cardsystems I'm getting tired of posting about data security breaches, but this one is a whopper -- actually, more like a double whopper.  From the AP:

The names, banks and account numbers of up to 40 million credit card holders may have been accessed by an unauthorized user, MasterCard International Inc. said Friday. The credit card giant said the security breach involves a computer virus that captured customer data for the purpose of fraud and may have affected holders of all brands of credit cards.

It said the breach was traced to Atlanta-based CardSystems Solutions Inc., which processes credit card and other payments for banks and merchants.

The compromised data did not include addresses or Social Security numbers, said MasterCard spokeswoman Sharon Gamsin. The data that may have been viewed -- names, banks and account numbers -- could be used to steal funds but not identities.

One thing to note is that the type of information accessed is likely to be used for credit card fraud, not identity theft.  The two are often confused, and many stories about this data breach have conflated the two. (The story I linked to does not.)  Credit card fraud involves a fraudster using a person's stolen card or card numbers to conduct fraud.  Credit card companies have elaborate detection systems for such fraud, and when a consumer catches the fraud, the card is cancelled and a new card is sent in the mail.  People's liability is limited, and with most credit card companies, people are not responsible for any of the fraudulent charges.  Identity theft, in contrast, is much more damaging.  It involves a thief using personal data to impersonate the victim -- usually the victim's Social Security number.  Identity theft is harder to clean up, because bad data finds its way into many different record systems, and since Social Security numbers are very difficult to change, the thief can continue to engage in the fraud.  Whereas credit card fraud is like getting a slight cold, identity theft is akin to contracting a chronic disease. 

Posted by Daniel Solove on June 18, 2005 at 01:56 PM in Daniel Solove, Information and Technology | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c6a7953ef00d834274c9853ef

Listed below are links to weblogs that reference Data Security Breach Supersized: 40 Million People Affected:

» 40 Million Credit Card numbers stolen. from JRB Technology
In what could be the largest security breach in history, 40Million credit card numbers were stolen from a company called CardSystems. CardSystems is one of many companies that processes credit cards... [Read More]

Tracked on Jun 29, 2005 9:37:02 AM

Comments

You know, maybe this is a good thing in a way. Sort of in a Leninist sense: it'll undermine the whole credit system and possibly bring it down. The credit card companies may have their bankruptcy bill, but if every single person in the country has a totally unreliable credit rating, what are they gonna do with it?

-Cynical Paul

Posted by: Paul Gowder | Jun 19, 2005 1:14:10 AM

Post a comment