X

Attorneys general want details on credit card heist

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
See full bio
Joris Evers
2 min read

CardSystems Solutions hasn't been talking since a security breach at the payment processor was disclosed earlier this month. But pressure is mounting on the company to end the silence.

The attorneys general of 44 U.S. states want CardSystems to come clean on the cyber break-in that exposed about 40 million credit cards to fraud. In a letter (view PDF), the law enforcement officials also demand that the payment processor informs all affected consumers immediately.

The letter, sent on Tuesday, came a day after a class action lawsuit was filed against CardSystems in a California court. The suit also names Visa and MasterCard and accuses the companies of violating California law by neglecting to secure credit card systems and by failing to notify individual card holders about the security breach at CardSystems.

Lawmakers are also taking action. A far-reaching bill introduced Wednesday in the U.S. Senate proposes an avalanche of new rules for corporate data security and stiff penalties for information burglars.

The break-in was disclosed publicly on June 17 by MasterCard International. Intruders got access to details on about 40 million credit cards, most of the Visa and MasterCard brands. Credit card companies have said they would not notify customers unless the accounts are actually abused.

The security breach, possibly the largest to date, happened because intruders were able to install a rogue program on the CardSystems' network by exploiting software security vulnerabilities , according to MasterCard. CardSystems did not comply with credit card industry security policies, MasterCard and Visa have said.

The attorneys general call CardSystems' actions "unacceptable." In their letter they say the company should provide:

- The total number of consumers impacted by the breach in each state
- An explanation of how the breach occurred and the steps the company is taking to mitigate consumer injury caused by the breach, including efforts to notify affected consumers
- An outline of the plan the company has developed to prevent the reoccurrence of such a security breach and the timeline for implementing the plan.