Source (http://news.yahoo.com/news?tmpl=story&u=/ap/20050618/ap_on_bi_ge/credit_cards_breach)

NEW YORK - The names, banks and account numbers of up to 40 million credit card holders may have been accessed by an unauthorized user, MasterCard International Inc. said Friday. The credit card giant said the security breach involves a computer virus that captured customer data for the purpose of fraud and may have affected holders of all brands of credit cards.

The crux of the issue is that the breach my be used for theft of funds but not, thankfully, ID theft.

I find it interesting that the FBI told the company that actually lost the data to be quiet but Mastercard itself went public.

Ok, just bringing the dead thread back because there is an update on the story.
FTC and Card systems settle (http://news.zdnet.com/2100-1009_22-6042665.html?part=rss&tag=feed&subj=zdnn)

From the article:
The proposed settlement requires the privately owned company to adopt stricter security measures and to have an independent audit every other year for the next 20 years.

CardSystems faces potential liability for millions of dollars in private lawsuits for losses, the FTC said.

Can anyone recall how the card numbers were stolen ? Wan't their system unencrypted or something ?

I beleive thats the case where the cc employee had their laptop stolen and hadnt been folowing company policy by encrypting the files.

Update (http://www.theregister.co.uk/2006/02/27/ftc_settles_with_cardsystems)

Another update today from TheRegister.

It looks like they did'nt use encryption for their database and they never used strong passwords if any at all :rolleyes:.

Another one of those "Oh, it'll never happen to us!"

The proposed settlement requires the privately owned company to adopt stricter security measures and to have an independent audit every other year for the next 20 years.

CardSystems faces potential liability for millions of dollars in private lawsuits for losses, the FTC said.

That's not very strict. The PCI DSS dictates much more frequent audits and technical vulnerability assessments. Unless this independent audit is more of a "bend over and say 'Ah'" sort of affair, outside of the normal PCI requirements. In which case, I *still* don't think it's enough.

dmorgan, I believe the issue was CardSystems was keeping cardholder information for some data analysis/warehousing work. #1 they did so in violation of the agreement with Visa (who, let's face it, IS the Payment Card Industry), and #2 they did not have safe data storage and management practices around this unauthorized data.