MasterCard said card numbers and expiration dates were harvested by a rogue program planted inside the computer network at CardSystems Inc., one of the low-profile firms that process merchant requests for credit-card authorization. When a retailer swipes a customer's card, the information goes to companies like CardSystems for approval before getting passed along to banks.
The attack exposed the numbers of 13.9 million MasterCards and an unknown number of other brands of cards, including American Express. Atlanta-based CardSystems processes $15 billion in charges annually for MasterCard, Visa, American Express, Discover and other cards. Visa did not return a call seeking comment.
"I think all four [of the major card issuers] will be tainted," said Chris Hoofnagle, West Coast director of the Electronic Privacy Information Center. "This is the biggest security breach by far."
Hackers and identity thieves trade and sell pilfered credit card numbers in online chat rooms, making it relatively easy for a single big theft to affect thousands of cards quickly. MasterCard, which uncovered the incursion, would not divulge the dollar amount of the fraud uncovered so far or say when the improper charges began.
"Several banks reported atypical patterns of fraud" this week, Locke said. With the help of security firm CyberTrust Inc., "we traced disparate patterns of fraud back to CardSystems." After examining the computers there, she said, "we believe that a hacker intruded and installed some malicious code that captured card information."
The FBI is investigating.
MasterCard said CardSystems hadn't been using industry safeguards at its Tucson, Ariz., processing center, suggesting to analysts that the numbers had not been encrypted. CardSystems did not return telephone calls seeking comment.
"There's no excuse for this," said Avivah Litan, a Gartner Inc. expert on the security of financial data. "This takes the cake."
MasterCard's revelation is the latest in an unprecedented series of reported data breaches that began this year with word that identity thieves had accessed sensitive information on at least 145,000 people tracked by data broker ChoicePoint Inc.
Major security lapses have also been disclosed affecting LexisNexis, Bank of America Corp., Wachovia Corp. and Citigroup Inc.
On Thursday, a Senate panel heard members of the Federal Trade Commission call for a national disclosure law and mandatory encryption, among other steps.
Several members of Congress said the latest incident underscored the need for new legislation, for example to extend the data-protection rules that are already applied to credit bureaus.
"Hardly a week goes by without startling new examples of breaches of sensitive personal data reminding us how important it is to pass a comprehensive identity theft prevention bill in Congress quickly," said Sen. Charles E. Schumer, a New York Democrat, who has sponsored a consumer data protection law.
MasterCard said it would support applying stricter rules to credit-card processors.
As typically happens when credit card information is stolen, MasterCard is leaving it up to the banks that issued the cards to warn the cardholders. It declined to name the banks.