NEW YORK TIMES: "MasterCard International reported Friday that more than 40 million credit-card accounts of all brands may have been exposed to fraud through a computer security breach at a payment-processing company, perhaps the single largest case of stolen consumer data to date. 

MasterCard said its analysts and law enforcement officials had identified a pattern of fraudulent charges that were traced to an intrusion at CardSystems Solutions of Tucson, Ariz., which processes more than $15 billion in payments for small to mid-size merchants and financial institutions each year. 
About 13.9 million MasterCard accounts were compromised as well as those of unspecified numbers of Visa, American Express and Discover customers. The accounts affected included credit cards and certain kinds of debit cards. 

The FBI said it was investigating. 

Sharon Gamsin, a MasterCard spokeswoman, said an infiltrator had managed to place a computer code or script on the CardSystems network that made it possible to extract information. She would not elaborate on how long the breach might have lasted, when the investigation began or whether any infiltrators had been identified. She did say that the breach had occurred sometime this year. 

Deborah McCarley, a spokeswoman for the FBI field office in Phoenix, said her agency was trying to establish the scope of the breach and that ``the investigation is just beginning.'' 

CardSystems said Friday that it identified a potential security problem May 22 or 23 and contacted the FBI, then the Visa and MasterCard associations. It said steps were taken immediately to ensure all systems were secure. ``Our goal is to cooperate fully with the FBI,'' it said. 

According to MasterCard, an unauthorized person was able to exploit the security vulnerability and gain access to CardSystems' network, exposing cardholders' names, account numbers and expiration dates as well as the security code, typically three or four digits also printed on the credit card. 

``The processing companies are hubs for millions of payment records,'' said Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center, a digital rights group based in Washington. ``It is the juiciest target for an individual who wants account numbers. It is a honey pot for identity thieves.'' 

He suggested that customers monitor their bills for unauthorized charges and consider asking their credit-card issuers for new account numbers. 

MasterCard said other personal data that might be subject identity theft, such as Social Security numbers and dates of birth, was not stored on its cards and therefore not at risk. And it said credit-card holders would not be liable for any fraudulent charges to their accounts. 
Visa and American Express also had statements on their Web sites Friday that customers wouldn't have to pay for fraudulent charges. 

MasterCard said specific advice to cardholders as to precautions or recourse would have to come from the banks issuing the cards. 

Officials at major credit-card issuers, like Citigroup and JPMorgan Chase, said they had been notified of the breach only recently -- in some cases as late as Friday -- and were still assessing the scope of the problem. Janis Tarter, a spokeswoman for Citigroup's credit-card division, said her company would notify customers likely to be at risk and more closely monitor any accounts that might have been affected. A Chase card spokesman said his company was taking similar steps. 

MasterCard said the investigation began when it was notified by several banks that they had detected atypical levels of fraudulent charges. In turn, MasterCard began monitoring information from those accounts for common purchasing points. Using complex data-analysis systems and the assistance of an outside forensics firm, it was able to home in on an unspecified bank receiving spending data from merchants. 
``When we started to dig into it, working with the bank and working with their systems, we detected it couldn't be them and basically triangulated at the process and arrived at CardSystems Solutions,'' said John Brady, MasterCard's head of merchant risk services. 

Although 40 million credit-card accounts were said to have been put at risk, it is not clear whether data on all of those accounts was actually obtained." 

(Originating URL = http://www.mercurynews.com/mld/mercurynews/business/11928004.htm )