A hacker has accessed up to 40 million credit-card numbers by infiltrating the network of a company that processed payment data for MasterCard International.
MasterCard has notified banks that issue its credit cards about the security breach, which targeted CardSystems Solutions, a back-office processing company. Those banks will take steps to notify their customers as they see fit.
The network at CardSystems had certain vulnerabilities that allowed an outsider to access the card numbers, 13.9 million of which were connected to MasterCard cards.
The CEO of CardSystems has said the information stolen was held in records that the company was holding for "research purposes". The research involved ascertaining why some transactions were unauthorised or incomplete. The company no longer stores sensitive data on files, the CEO added.
As far as MasterCard is aware, the person who infiltrated the CardSystems network has not yet been identified.
Companies such as CardSystems process payment data for multiple credit card companies, which is why MasterCard numbers accounted for only 13.9 million of the numbers.
Cardholders can dispute purchases that were not made by them with the bank that issued their card, and they will not be held liable for any purchases deemed to have been made fraudulently.
In the wake of the breach being made public, security vendor Secure Computing was the first to discover a phishing scam that used MasterCard in the subject line to alarm email users. The deception seemed hurried, as it didn't mention the security breach, and may simply be an old scam making the rounds again.
Secure Computing expects such fraudulent activity to continue and become more sophisticated in the coming days, specifically referring in subject lines or body text to the latest big-news breach.