Visa and Mastercard warn of breach at "major retailer"
Technorati Tag: Security Breach
UPDATE: Hannaford and Sweetbay supermarkets announce compromise of 4.2 million credit and debit cards
Date Reported:
3/17/08
Organization:
unnamed "major retailer"*
*Update pending as details become available
Contractor/Consultant/Branch:
Unknown
Victims:
"consumers in Massachusetts and northern New England states"
Number Affected:
"MBA estimates that hundreds of thousands"**
**MBA is the Massachusetts Bankers Association which represents approximately 200 commercial, savings and co-operative banks and savings and loan institutions in Massachusetts and elsewhere in New England.
Types of Data:
Credit card information
Breach Description:
"BOSTON, March 17, 2008 – The Massachusetts Bankers Association (MBA) said today that Visa and MasterCard have contacted 60 to 70 banks in Massachusetts about a large data breach occurring at what the card companies characterized as “a major retailer.”"
Reference URL:
Massachusetts Bankers Association press release
CNN Money
Report Credit:
The Massachusetts Bankers Association
Response:
From the online sources cited above:
MASSACHUSETTS BANKERS ASSOCIATION ALERTS CONSUMERS ABOUT ANOTHER RETAIL DATA BREACH
BOSTON, March 17, 2008 – The Massachusetts Bankers Association (MBA) said today that Visa and MasterCard have contacted 60 to 70 banks in Massachusetts about a large data breach occurring at what the card companies characterized as “a major retailer.”
[Evan] Who the "major retailer" is could be anyone's guess.
The MBA estimates that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and it is urging consumers to monitor their accounts.
[Evan] Ugh. A "major breach" at a "major retailer", which will probably lead to a "major lawsuit" from which lawyers will make "major money".
The retailer has not been named by the card companies and the bankers association wants customers to know that this was not a problem caused by banks.
The data breach is reported to have occurred between Dec. 7, 2007 and March 10, 2008.
[Evan] Holy cow that's a long time! The breach itself took place for three months and took that long to detect? Assuming the "major retailer" report is true, just think about how many credit card transactions must have taken place. Chances are good that the retailer never noticed the breach and only became aware after a slew of fraudulent charges were reported by consumers.
The MBA said that each bank that received an alert from the card companies will make its own decision whether or not to issue new cards or to monitor the accounts for the time being. In either case, customers need not worry and can protect themselves by monitoring their accounts.
[Evan] Customers will still worry.
“With lack of specificity at this point, or even when the name of the retailer becomes public, customers do not need to call their bank,” said Forte (Daniel J. Forte, president and CEO of the MBA)
[Evan] Customers will still call their bank
“If cards are to be replaced, consumers will be notified by their bank. In the event that fraud does occur due to a data breach, even though our banks did not cause this breach, the banks will hold each customer harmless, refunding any lost money.”
Visa and MasterCard, according to their own policy, have not released the name of the company responsible for the data breach, reporting to the affected banks only that it was “a major retailer.”
The MBA has been in discussions with the card companies as well as pursuing legislative remedies that would change card company rules and require release of the name of the offending retailer, as well as place liability for the costs associated with a breach with the retailer.
[Evan] Seems to me that a law like this passed last year in Minnesota.
“Releasing the name of the retailer would make all of our lives easier and safer,” said Forte. “Customers who didn’t shop there would be put at ease, and banks could do more efficient investigations to better protect customers. It is an important issue and one that we are vigorously pursuing.”
[Evan] Absolutely! I completely agree with Mr. Forte. I do not understand how disclosing the retailer would affect a criminal investigation, and I disagree with Visa's and Mastercard's crock policy that serves no interest to the consumer.
Commentary:
This will be "major news" when the retailer becomes known. It is not even known if this breach only affects Massachusetts and New England consumers either. MBA did the prudent thing by issuing a press release. Stay tuned.
I am interested in reading more details. From an information security perspective, I probably won't like what I read.
Past Breaches:
Unknown
UPDATE: Hannaford and Sweetbay supermarkets announce compromise of 4.2 million credit and debit cards Date Reported:
3/17/08
Organization:
unnamed "major retailer"*
*Update pending as details become available
Contractor/Consultant/Branch:
Unknown
Victims:
"consumers in Massachusetts and northern New England states"
Number Affected:
"MBA estimates that hundreds of thousands"**
**MBA is the Massachusetts Bankers Association which represents approximately 200 commercial, savings and co-operative banks and savings and loan institutions in Massachusetts and elsewhere in New England.
Types of Data:
Credit card information
Breach Description:
"BOSTON, March 17, 2008 – The Massachusetts Bankers Association (MBA) said today that Visa and MasterCard have contacted 60 to 70 banks in Massachusetts about a large data breach occurring at what the card companies characterized as “a major retailer.”"
Reference URL:
Massachusetts Bankers Association press release
CNN Money
Report Credit:
The Massachusetts Bankers Association
Response:
From the online sources cited above:
MASSACHUSETTS BANKERS ASSOCIATION ALERTS CONSUMERS ABOUT ANOTHER RETAIL DATA BREACH
BOSTON, March 17, 2008 – The Massachusetts Bankers Association (MBA) said today that Visa and MasterCard have contacted 60 to 70 banks in Massachusetts about a large data breach occurring at what the card companies characterized as “a major retailer.”
[Evan] Who the "major retailer" is could be anyone's guess.
The MBA estimates that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and it is urging consumers to monitor their accounts.
[Evan] Ugh. A "major breach" at a "major retailer", which will probably lead to a "major lawsuit" from which lawyers will make "major money".
The retailer has not been named by the card companies and the bankers association wants customers to know that this was not a problem caused by banks.
The data breach is reported to have occurred between Dec. 7, 2007 and March 10, 2008.
[Evan] Holy cow that's a long time! The breach itself took place for three months and took that long to detect? Assuming the "major retailer" report is true, just think about how many credit card transactions must have taken place. Chances are good that the retailer never noticed the breach and only became aware after a slew of fraudulent charges were reported by consumers.
The MBA said that each bank that received an alert from the card companies will make its own decision whether or not to issue new cards or to monitor the accounts for the time being. In either case, customers need not worry and can protect themselves by monitoring their accounts.
[Evan] Customers will still worry.
“With lack of specificity at this point, or even when the name of the retailer becomes public, customers do not need to call their bank,” said Forte (Daniel J. Forte, president and CEO of the MBA)
[Evan] Customers will still call their bank
“If cards are to be replaced, consumers will be notified by their bank. In the event that fraud does occur due to a data breach, even though our banks did not cause this breach, the banks will hold each customer harmless, refunding any lost money.”
Visa and MasterCard, according to their own policy, have not released the name of the company responsible for the data breach, reporting to the affected banks only that it was “a major retailer.”
The MBA has been in discussions with the card companies as well as pursuing legislative remedies that would change card company rules and require release of the name of the offending retailer, as well as place liability for the costs associated with a breach with the retailer.
[Evan] Seems to me that a law like this passed last year in Minnesota.
“Releasing the name of the retailer would make all of our lives easier and safer,” said Forte. “Customers who didn’t shop there would be put at ease, and banks could do more efficient investigations to better protect customers. It is an important issue and one that we are vigorously pursuing.”
[Evan] Absolutely! I completely agree with Mr. Forte. I do not understand how disclosing the retailer would affect a criminal investigation, and I disagree with Visa's and Mastercard's crock policy that serves no interest to the consumer.
Commentary:
This will be "major news" when the retailer becomes known. It is not even known if this breach only affects Massachusetts and New England consumers either. MBA did the prudent thing by issuing a press release. Stay tuned.
I am interested in reading more details. From an information security perspective, I probably won't like what I read.
Past Breaches:
Unknown
Posts Atom 1.0
Comments