Bob Eschliman reports more on a recent breach disclosure in Iowa:
The MasterCard Fraud Management department has been notified of a security breach of a U.S. merchant’s network. A data security firm has been engaged to conduct an onsite forensic investigation. This alert discloses the payment account numbers of MasterCard accounts that were potentially exposed to compromise.
Preliminary investigations indicate that magnetic stripe data is at risk.
This alert contains account numbers used in transactions at the subject merchant from November 2, 2010 through April 20, 2011.
What I find intriguing is that no other bank in the area has indicated that they have been notified of the merchant breach.
That’s also a long time for the network to have been breached without the merchant realizing it, although sadly, it’s not particularly uncommon.
Read more on Clarinda Herald-Journal.
Unfortunately the story you are linking to is no longer available. The newspaper went to “pay for” only site access.
Regardless, I’ve been caught up in all this hinkiness twice in the last 90 days. First it was fraudulent charges on a BoA issued MasterCard in September. And in November the same problems popped up on my Citibank MasterCard. As a consumer I am not amused.
The experience with both credit card issuers was eerily similar: They knew the charges were somehow “wrong” and reversed them before I was even contacted. They said I would receive a fraud affidavit which I needed to sign and return – which they never sent. And almost verbatim, customer service reps at both banks said they did not know what was going on, and even if they did they couldn’t give me details. Yeah, right…
MasterCard and the issuing banks should not underestimate the annoyance this is causing the consumer. And taking a “speak no evil” approach isn’t helping. Somebody knows something is seriously wrong. If account data is known to be stolen then dammit, get ahead of it despite the costs and get new cards/accounts out there before it becomes a royal PITA for the customers. This is the very stuff that is known to cause consumers to say “No thanks” to receiving a replacement card/account. I have plenty of credit elsewhere. I don’t *need* MasterCard.
Sooner or later people are going to yowl if the size of this problem becomes huge, one customer report at a time. Right now, I’m annoyed enough to start calling radio and TV stations and seeing if anyone bites on the story. Because having 2 MasterCard accounts frauded in 90 days really bites.
In most cases, the banks really do not know the source of the breach. All they know is that MasterCard (or Visa) gives them a list of account numbers to flag. They can’t tell us what they do not know. And it may take MC and Visa time to pinpoint the common point of compromise. So I suspect there will always be cases where at least some customers experience what you did before a breach is pinpointed and their system secured. Look how long it took to nail down the Heartland breach. Fraudulent charges were showing up in the Fall of 2008 and yet Heartland was unable to confirm a breach until January 2009.
I’ve had this disclosure argument/discussion with Visa a few times in recent years. Their position is that they have no direct contract with the consumer and so have no obligation to tell us what merchant was involved. They also argue that they cannot/should not disclose if the merchant hasn’t disclosed. In other words, if the merchant doesn’t disclose, we may never find out for sure where a merchant breach was.
One of the benefits of a national data breach disclosure/notification law would be that we would presumably learn where a breach occurred. And I think that’s a good thing for consumers. If the FTC can tell Facebook they have to be more transparent as a business practice, why don’t merchants have to be more transparent if they’ve had a data breach?