In the largest reported breach of personal data, hackers infiltrated the computers at a credit card processing center and stole as many as 40 million card numbers, MasterCard International disclosed yesterday.

MasterCard said card numbers and expiration dates were harvested by a rogue program planted inside the computer network at CardSystems Inc., one of the low-profile firms that process merchant requests for credit-card authorization. When a retailer swipes a customer's card, the information goes to companies like CardSystems for approval before getting passed along to banks.

At least 68,000 accounts have had fake charges posted to them, said MasterCard Vice President Linda Locke. Most credit card companies reverse fraudulent charges that are reported to them. Social Security numbers and other personal information were not taken.

The attack exposed the numbers of 13.9 million MasterCards and an unknown number of other brands of cards, including American Express. Atlanta-based CardSystems processes $15 billion in charges annually for MasterCard, Visa, American Express, Discover and other cards. Visa did not return a call seeking comment.

"I think all four [of the major card issuers] will be tainted," said Chris Hoofnagle, West Coast director of the Electronic Privacy Information Center. "This is the biggest security breach by far."

Hackers and identity thieves trade and sell pilfered credit card numbers in online chat rooms, making it relatively easy for a single big theft to affect thousands of cards quickly. MasterCard, which uncovered the incursion, would not divulge the dollar amount of the fraud uncovered so far or say when the improper charges began.

"Several banks reported atypical patterns of fraud" this week, Locke said. With the help of security firm CyberTrust Inc., "we traced disparate patterns of fraud back to CardSystems." After examining the computers there, she said, "we believe that a hacker intruded and installed some malicious code that captured card information."

The FBI is investigating.

MasterCard said CardSystems hadn't been using industry safeguards at its Tucson, Ariz., processing center, suggesting to analysts that the numbers had not been encrypted. CardSystems did not return telephone calls seeking comment.

"There's no excuse for this," said Avivah Litan, a Gartner Inc. expert on the security of financial data. "This takes the cake."

MasterCard's revelation is the latest in an unprecedented series of reported data breaches that began this year with word that identity thieves had accessed sensitive information on at least 145,000 people tracked by data broker ChoicePoint Inc.

Major security lapses have also been disclosed affecting LexisNexis, Bank of America Corp., Wachovia Corp. and Citigroup Inc.

Hearings in Congress

The reports, spurred by a California law requiring notification of consumers put at risk, have driven a spate of Congressional hearings and proposals for tighter regulation.

On Thursday, a Senate panel heard members of the Federal Trade Commission call for a national disclosure law and mandatory encryption, among other steps.

Several members of Congress said the latest incident underscored the need for new legislation, for example to extend the data-protection rules that are already applied to credit bureaus.

"Hardly a week goes by without startling new examples of breaches of sensitive personal data reminding us how important it is to pass a comprehensive identity theft prevention bill in Congress quickly," said Sen. Charles E. Schumer, a New York Democrat, who has sponsored a consumer data protection law.

MasterCard said it would support applying stricter rules to credit-card processors.

As typically happens when credit card information is stolen, MasterCard is leaving it up to the banks that issued the cards to warn the cardholders. It declined to name the banks.