Industry News

When MasterCard's forensic people went in to investigate the security breach that affected nearly 14M MasterCard accounts this week, they were able right away to find a file that with 100% certainty had 68,000 account numbers exported from its system. These accounts are considered "especially at risk."

In what might amount to one of the largest data heists ever, MasterCard believes up to 40 million cardholders of such credit card brands as MasterCard, American Express and others have been jeopardized in a massive theft at third party credit card processor, CardSystems Solutions Inc.

The breach compromised account holder names, banks and account numbers.

The MasterCard disclosure adds fuel to a growing uproar among privacy rights experts and government regulators who fear that Americans are increasingly threatened by identity theft and other privacy violations due to sloppy or inadequate data privacy and data security practices.

Earlier this week, the U.S. Senate debated different approaches to dealing with the problem. In the meantime, more and more states are following the lead of California, whose groundbreaking information privacy act called SB1386 mandates that all potential privacy breaches be publicly disclosed to those affected.

"The MasterCard incident represents only the tip of the iceberg of what has become a global identity theft epidemic," said Jim Stickley (pictured), internationally respected security expert, cofounder and CTO for TraceSecurity. He continued:

"Most Americans don't realize how poorly their private financial information can be protected. Often times their information is stored on computer hard disks and tapes by the numerous trustees of this data -- including banks, brokerages, insurance companies, credit card companies, mortgage companies and credit rating agencies. Unfortunately, even when the original trustees of the data incorporate proper security precations, the data is then sent out to third party vendors who do not incorporate the same strict security standards."

"Often times these organizations implement archaic data privacy practices that haven't kept pace with rapid technological changes or with the evolving threats. Another concerning factor is the lack of encryption which though available, is rarely used for data storage. For example, most corporate data is stored on computer hard disks or tape drives in clear plain text, unencrypted, which means that unauthorized persons can easily access the data. In today's case, a rogue computer virus or worm apparently stole the data. If that data had been encrypted, we wouldn't have 40 million people losing sleep tonight wondering if their credit card information was violated."

Stickley believes it's time for the federal government to do more.

"The time has come for government regulators to step in and mandate more responsible data protection practices," added Stickley. "California's disclosure rule has been a great first step, and should become a model for national law. But the government needs to go further. The next step is to mandate better data protection practices. Data encryption is an important and necessary start, but it's not the total solution. The biggest problems we see is related to the human element of the security equation. Employees at these companies require, and should be entitled to receive, continuous education about policies and procedures that can prevent such massive thefts from occurring in the first place."

Stickley, in a moment of levity, suggests MasterCard adopt the following new marketing campaign that would appeal to the growing hoards of computer criminals around the world:

"New Computer: $1,100.00 ... An Internet guidebook to writing computer viruses: free ... Easily stealing 40 million credit card accounts: priceless."