Just days after retiring FBI executive assistant Shawn Henry warned that U.S. businesses and law enforcement are vastly overmatched by cyber criminals, more than 10 million MasterCard and Visa card numbers have been reportedly stolen in a "massive" data theft.
The two companies late last week began warning banks that specific cards may have been compromised in January and February, yielding information that could be used to counterfeit new cards, Brian Krebs reported Friday on his security news blog. Neither Visa nor MasterCard's systems themselves were breached, according to Krebs, who added that the information was stolen from an as-yet-unidentified U.S.-based processor working for the payment services companies.
The method used to obtain the card numbers remains a mystery for now. Still, Krebs reports, "Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area."
The FBI's Henry, who will soon leave his post as executive assistant director of the agency's Criminal, Cyber, Response, and Services Branch, told The Wall Street Journal earlier this week that FBI agents are increasingly coming across data stolen from companies whose executives had no idea their systems had been accessed.
Digitized personal data thefts have become quite common over the past decade and a half, and this latest event doesn't even rank among the largest. Heartland Payment Systems earned that dubious distinction in May 2008, when hackers took about 130 million records. Among retailers, TJX Companies, Inc., which owns retailers TJ Maxx and Marshalls, has had the largest customer-payment data breach. Thieves pilfered more than 94 million customer payment records between 2005 and 2007 from the company's computer systems.
Earlier this week, the U.S. Federal Trade Commission asked Congress (pdf) to pass data privacy legislation and on companies to do more to ensure the privacy and proper use of consumer data, according to InformationWeek.com. The White House has also called on Congress to act on privacy and data security concerns, issuing its Consumer Data Privacy in a Networked World report (pdf) in February to encourage the development of enforceable privacy policies both nationwide and internationally. This report included the Obama administration's request for a Customer Privacy Bill of Rights.
Hacks are difficult to detect and even more difficult to track to their source. One common way they evade detection is to break into poorly secured computers and use those hijacked systems as proxies through which they can then launch and route attacks worldwide. Although such strikes are an international problem, there is no coordinated system for an international response, which frustrates local law enforcement seeking cooperation from countries where these proxy servers typically reside.
Image courtesy of Alex, via iStockphoto.com