A US-based credit card transaction processing company last week confirmed that millions of card numbers were stolen recently when someone hacked into its computers. But it defended itself by saying the culprits may not have obtained any useful information.
Omaha-based Data Processors International Inc. (DPI) acknowledged in a statement that it "experienced a system intrusion" four weeks ago. But it added that the stolen data "did not include any personal information that could relate a card number to an individual."
The hackers didn't get the names, addresses, phone numbers or Social Security numbers of any cardholders, according to the statement. "It's still unclear if any usable data was compromised at all," said DPI, which processes credit card transactions for direct marketing and mail-order catalog companies.
But even if a hacker had only a credit card number, getting the name, address and phone number of the cardholder wouldn't be an insurmountable task, according to Avivah Litan, a financial services analyst at Gartner Inc. in Stamford, Conn. For example, Litan said, information could be purchased online through so-called skip trace databases, which are used by bounty hunters and others to find personal information.
Scott Jones, a spokesman for DPI, said the company wouldn't comment about any of the technical aspects of the system intrusion, which came to light early last week (see story). Jones also wouldn't discuss whether DPI had intentionally separated the card numbers from the personal data of consumers in its systems. But he did say that the company is working to improve its information security in response to the break-in.
Analysts said the incident was the largest single case of online theft of credit information. A spokeswoman for MasterCard International Inc. put the total count of credit card numbers that were exposed to the hackers at about 8 million.
Purchase, N.Y.-based MasterCard said 2.2 million of its card numbers were taken, while Foster City, Calif.-based Visa International Inc. said the hackers made off with 3.4 million of its card numbers. New York-based American Express Corp. and Discover Card, a unit of New York-based Morgan Stanley Dean Witter & Co., were also affected by the intrusion.
Richard Fischer, a partner at San Francisco-based law firm Morrison & Foerster LLP, advises Visa and other financial services firms on payment systems, e-commerce and data privacy issues. He said security is a game of one-upmanship with hackers and requires companies to constantly upgrade their technology.
For example, credit card companies such as Visa and MasterCard use sophisticated computing algorithms to track transactions by cardholders and detect unusual buying patterns, Fischer said.
MasterCard said that during the week of Feb. 3 it began to notify its member banks of the system break-in at DPI. Visa said its fraud team immediately notified all affected card issuers and is now working with DPI "to protect against the threat of a future intrusion."
But neither the credit card companies nor DPI have disclosed any information about the thefts on their consumer Web sites. "Instead, they will monitor the accounts for any signs of fraud," Fischer said. "If there's any suggestion of unauthorized transactions, they're going to be contacting those individual customers."