CNET también está disponible en español.

Ir a español

Don't show this again

Security

This week in security

Consumers and retailers come to grips with the largest-ever breach of personal data security.

As news of what may be the largest-ever personal data security breach spread, consumers and retailers grappled with how the lost information would affect them.

Late last week, MasterCard International revealed that information on more than 40 million credit cards may have been stolen. Of those exposed accounts, about 13.9 million are for MasterCard-branded cards. Some 20 million Visa-branded cards may have been affected and the remaining accounts were other brands, including American Express and Discover.

The data security breach happened because intruders were able to exploit software security vulnerabilities to install a rogue program that captured credit card data on the network of CardSystems Solutions, a MasterCard International spokeswoman said. The malicious code was discovered after a probe into the security of CardSystems' network.

The probe also found that the Atlanta-based payment processor did not meet MasterCard's security regulations. CardSystems held onto records that it should have discarded, and it stored transaction data in unencrypted form, the spokeswoman said.

Despite those details, many consumers are largely being left in the dark. Pressure is mounting for companies to alert individual cardholders whose details were exposed by the breach at data processor CardSystems Solutions. But representatives for JP Morgan Chase, Citigroup and MBNA said they would not notify customers unless the accounts are actually abused. At that point, the providers would close the account and issue a new card, they said.

Retailers may have more to lose than consumers by the lack of notification. If a fraudster makes purchases on an individual's card, then the cardholder has to pay for the first $50 of unauthorized transactions, or nothing at all. Businesses, however, in many cases have to cover the loss--a potentially heavy burden in the CardSystems case, given the large number of accounts exposed. If consumers aren't alerted, that means the compromised cards could still be active and may be used by criminals in a transaction.