I’m getting tired of posting about data security breaches, but this one is a whopper — actually, more like a double whopper. From the AP:
The names, banks and account numbers of up to 40 million credit card holders may have been accessed by an unauthorized user, MasterCard International Inc. said Friday. The credit card giant said the security breach involves a computer virus that captured customer data for the purpose of fraud and may have affected holders of all brands of credit cards.
It said the breach was traced to Atlanta-based CardSystems Solutions Inc., which processes credit card and other payments for banks and merchants.
The compromised data did not include addresses or Social Security numbers, said MasterCard spokeswoman Sharon Gamsin. The data that may have been viewed — names, banks and account numbers — could be used to steal funds but not identities.
One thing to note is that the type of information accessed is likely to be used for credit card fraud, not identity theft. The two are often confused, and many stories about this data breach have conflated the two. (The story I linked to does not.) Credit card fraud involves a fraudster using a person’s stolen card or card numbers to conduct fraud. Credit card companies have elaborate detection systems for such fraud, and when a consumer catches the fraud, the card is cancelled and a new card is sent in the mail. People’s liability is limited, and with most credit card companies, people are not responsible for any of the fraudulent charges. Identity theft, in contrast, is much more damaging. It involves a thief using personal data to impersonate the victim — usually the victim’s Social Security number. Identity theft is harder to clean up, because bad data finds its way into many different record systems, and since Social Security numbers are very difficult to change, the thief can continue to engage in the fraud. Whereas credit card fraud is like getting a slight cold, identity theft is akin to contracting a chronic disease.
Thanks to PrivacySpot for the pointer.
Originally posted at PrawfsBlawg
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.