Stolen Credit Card Data Being Sold On Russian Website

CardSystems Solutions, Inc., processes credit card charges and other payment accounts for banks and merchants across the country. After transactions are finalized, the company is supposed to destroy all records and account information should not be retained. However, John Perry, CEO of the Atlanta-based company, told the New York Times that such data was being stored for "research purposes" and that’s why it was available when computer hackers breached security protocols at the company to access some 40 million credit card accounts, including Visa, MasterCard, and other companies. And now consumers are already beginning to discover phony charges on their monthly statements.

The breach was first publicly announced by a MasterCard spokeswoman, who said that CardSystems Solutions was hit by a computer virus that sucked up card numbers and other customer data. The data that was stolen during the breach included names, banks and account numbers, but did not include addresses or Social Security numbers. Such data could be used to steal funds, but not identities. CardSystems said it first learned of a potential breach on May 22, but they were told by the FBI not to release any information to the public due to their investigation of what they have called the largest security breach of credit card information in history. But when MasterCard’s security division began to detect multiple instances of fraud that tracked back to CardSystems Solutions, they felt compelled to alert banks that issue its cards. CardSystems’ CEO said he's surprised by MasterCard's decision to go public, but since almost 14 million of the compromised accounts were MasterCard accounts, the credit card company wisely decided to be proactive in warning their customers to watch for potentially fraudulent charges.

Credit card data is being bought and sold on what is now a very profitable black market for such critical financial information. According to John Waters, a security expert at iDefense, some account numbers are already being sold on a Russian website. "We saw a lot of chatter in Russian chat rooms over the weekend talking about this as a big win for the good guys, you know, the electrical crime groups." Sellers of credit card data can make huge profits from online sales. Fraud analysts estimate that a basic MasterCard number is worth more than $42, and a premium card with a high limit can bring as much as $70. So the potential profit from selling thousands or millions of stolen credit cards would be more than enough to buy the Kremlin, even though prices will most likely drop now that the security breach has been released to the public. But for cardholders that have already been affected by the scam, the damage is already done.

This security breach is the latest in a series that has hurt a number of high-profile companies including Citigroup, Bank of America, and DSW Shoe Warehouse. Consumers are advised to keep a close eye on their monthly statements, and to notify their bank or credit card company immediately if they see anything suspicious. Cardholders can dispute purchases that are unknown, and they will not be held liable for any purchases that are investigated and found to be phony.