Consumers, retailers grapple with data theft

Increase in fraud feared as the credit card industry recovers from a mega-heist.

Consumers are being left in the dark as the credit card industry cleans up after a digital break-in that put millions of accounts at risk.

Pressure is mounting for companies to alert individual cardholders whose details were exposed by the breach at data processor CardSystems Solutions. But representatives for JP Morgan Chase, Citigroup and MBNA said they would not notify customers unless the accounts are actually abused. At that point, the providers would close the account and issue a new card, they said.

That approach irks lawmakers who are fighting for full disclosure in the event of a data security breach. People should be able to decide themselves if they want to close their account after their personal information has been leaked, they said.

News.context

What's new:
Consumers are being left in the dark as the credit card industry cleans up after a digital break-in that put millions of accounts at risk.

Bottom line:
With the cost of the breach not yet clear, lawmakers and other parties are keeping a close eye on the impact it's having on customers and on the credit card industry's response.

More stories on personal data security

"The consumer, not the company, ought to be able to make the judgment, to the extent he wants to be at risk," said California state Sen. Joe Simitian, a Democrat from Palo Alto. "Consumers can't protect themselves if they are not informed."

With the cost of the breach not yet clear, lawmakers and other parties are keeping a close eye on the impact it's having on customers and on the credit card industry's response. Online retailers, which often bear the cost of credit card scams, are especially concerned about a possible influx of fraud.

In the break-in, reported Friday by MasterCard, the intruder got access to names, account numbers and verification codes for 40 million credit cards that could be used to commit fraud. Records covering about 200,000 cards are thought to have been transferred out of CardSystems' network. Despite this, Chase doesn't plan to inform individuals whose data was leaked.

"We are not going out to however many customers of ours that are affected," said David Chamberlin, a spokesman at Chase, which has issued 94 million credit cards in the United States. "Right now, we are dealing with potential fraud. If we find fraud or believe our customers are at high risk of fraud, we will contact them as soon as possible."

Chase's stance is echoed by Citigroup and MBNA. Representatives for both financial services providers said that they will closely monitor the accounts that are known to be exposed. The companies are advising all customers to keep a close eye on their online and monthly statements.

American Express is still weighing whether it should contact individual customers, a representative said Tuesday.

"We are not going out to however many customers of ours that are affected."
--David Chamberlin, spokesman, Chase

The issuers' approach would appear to put them in contravention of a California law that requires businesses to alert consumers if their personal information might have been stolen from a computer database. Sen. Simitian authored that law, the Security Breach Information Act, which came into effect two years ago.

"If somebody has your name and your credit card number and all the information needed make purchases on your account, you need that information to protect yourself," Simitian said. "If Chase continues to take the position that it (the law) does not require them to provide notice, I will do another bill if I have to."

On the national level, Sen. Dianne Feinstein, a Democrat representing California, is urging all credit card companies to contact affected customers. The CardSystems breach is a clear example that the industry is failing when it comes to protecting consumer data, she wrote in a letter Tuesday to the chief executives of Visa, MasterCard, American Express and Discover.

Like Simitian, Feinstein believes that notification is "vital to affording individuals the ability to protect their identity and their credit," she wrote. Feinstein has introduced a bill in the U.S. Senate that would require that consumers be notified of certain types of security breach.

Retailers may have more to lose than consumers by the lack of notification. If a fraudster makes purchases on an individual's card, then

 

Discuss Consumers, retailers grapple with data theft

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Articles from CNET
The other analog format: Cassette tape decks have never been cheaper to buy