More than 40 million credit card customers are at risk of fraud after hackers pilfered data from a US company that processes online transactions.
CardSystems Solutions, a payment processing firm based in Arizona, US, has also admitted to backing up thousands of records - contrary to proper procedure - potentially giving hackers easy access during the network intrusion.
The breach was identified by Mastercard, which commissioned an independent investigation at CardSystems Solutions, following an unusually high number of fraudulent transactions.
The investigation was carried out in May 2005 by computer forensics experts who discovered a rogue computer program installed on the company's network and found evidence that more than 40 million sets of credit card details may be been stolen by cyber-intruders. Several tens of thousands of cards are at particular risk, as there is clear evidence they were copied from the system.
On Friday, 17 June, Mastercard issued a statement warning that 13.9 million of its customers are among those affected. And a statement issued on the same day by CardSystems Solutions emphasises the severity of the break in. "We understand and fully appreciate the seriousness of the situation," the statement reads. "Our customers and their customers are our lifeblood. We are sparing no effort to get to the bottom of this matter."
But CardSystems has also admitted to mismanaging thousands of card records which were subsequently stolen. John Perry, chief executive of CardSystems Solutions, told The New York Times that more than 200,000 records had been backed up on its systems for "research purposes", contrary to proper procedure.
Mastercard and Visa prohibit payment processing companies from retaining card information after a transaction has been completed. "We should not have been doing that," Perry says. "That, however, has been remediated."
Investigators first step will be to trawl through logs to try and identify the network addresses of the computer used to break into the network, says Neil Barrett, a computer security expert with UK company Information Risk Management.
However, he adds that such information can be fairly easily disguised in order to frustrate the efforts of investigators. Another approach is to watch for fraudulent transactions involving stolen information, and then attempt to trace this back to the culprits of the break-in.
Peter Sommer, a computer security expert at the London School of Economics, also in the UK, says the incident merely highlights the dangers of mishandling sensitive customer data. "There's nothing new about this risk, and the end user can do nothing," Sommer told New Scientist. "Most security breaches happen simply because hackers are persistent. And, if you are holding important information like this, you can't afford a single breach."
Barrett also admits that such a crime seems inevitable, given the number of transactions occurring online everyday. "It's criminal business as usual, I'm afraid," he says.