Visa and MasterCard confirmed Friday they’ve alerted banks of a potential data breach involving a third party and affecting major credit card brands. Both companies said the breach did not involve their own systems.
The credit card security breach was first reported by investigative reporter Brian Krebs. In a blog post, he reported the Visa, MasterCard security breach involved a U.S.-based credit card processor and affected potentially more than 10 million card numbers. The Wall Street Journal on Friday identified the third-party credit card processor as Atlanta-based Global Payments Inc., but said up to 50,000 card numbers may have been affected.
“Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards,” Visa said in its statement.
MasterCard said law enforcement has been notified and “the incident is currently the subject of an ongoing forensic review by an independent data security organization.”
Avivah Litan, vice president and distinguished analyst at Gartner, wrote in a blog post that people in the card data business told her they’re seeing signs of a “breach mushroom.”
“From what I hear, the breach involves a taxi and parking garage company in the New York City area, so if you’ve paid a NYC cab in the last few months with your credit or debit card -- be sure to check your card statements for possible fraud,” she wrote.
The breach illustrates that knowledge-based authentication shouldn’t be relied on; a layered authentication approach is always best, Litan said.
“I heard (and this may not be factual) that the crime was perpetrated by a Central American gang that broke into the company’s system by answering the application’s knowledge-based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently,” she said.