A third-party credit card payment processor has been hacked, and 10 million numbers may have been compromised.
VISA and MasterCard are now publicly warning banks nationwide that hackers have broken into a U.S.-based third-party credit card payment processor. This is bad news, as sources within the financial sector are calling it "massive," involving more than 10 million compromised card numbers. Neither credit institutions have said which processor has been breached.
The news arrives after a separate non-public warning was issued last week by VISA and MasterCard. At the time, they said specific cards may have been compromised, and that a processor was compromised sometime between January 21 and February 15. Track 1 and Track 2 data were taken, meaning the information could be used to create fake credit cards.
"The network intrusion may have put accounts at risk of being stolen," VISA said in last week's warning. "The investigation is still in the early stages and if additional accounts are determined to be at risk, [additional alerts will be distributed]." The notice added that a forensic company was working with the processor company in question, and that the U.S. Secret Service is also investigating the breach.
Brian Krebs of KrebsonSecurity reports that affected banks are now starting to analyze transactions made on suspected cards, looking for a common point of purchase. Two different financial institutions have already discovered one common factor: they were used in parking garages in and around the New York City area. But that might be mere coincidence.
"On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised," Krebs reports. "PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed."
"To date, the common point of compromise has not been identified," PSCU's notice to the credit unions stated.
MasterCard told The Wall Street Journal that its own systems have not been compromised. However it did not say how many customers will be affected by the breach, or what banks are currently being notified. VISA has not provided an official statement as of this article.
Cardholders concerned about their accounts should contact the banks that issued their cards. If anyone has additional information in regards to the breach, please send a feedback email.