Over at Digital Identity World, Eric Norlin reacted with incredulity to MasterCard's PR spin on the loss of 13.9 million customer card numbers by card processor CardSystem Solutions. The spin was part of a story in USA Today that read in part:
Credit card users, don't fret. Only a small fraction of the 13.9 million credit cards accounts at MasterCard exposed to possible fraud were considered at high risk, the company said Saturday.
MasterCard International Inc. spokeswoman Jessica Antle said only about 68,000 of its card holders are at "higher levels of risk." And while those 68,000 should closely examine their credit or debit card accounts, customers do not have to worry about identity theft, Antle said.
I'm sure you're feeling better already. What exactly is a higher level of risk? Fortunately, the CardSystem Solutions breach didn't contain Social Security numbers like other recent losses of personal data, but sloppy handling of personal data is still sloppy.
You may wonder why we're seeing more and more of these kinds of incidents lately. I think there's two primary drivers:
First, some state consumer protection laws, California's in particular, require the the disclosure of any loss. This forces companies to tell consumers things that they would have tried to quietly hide in the past. This is a two-edged sword. Sometimes, such disclosures alert thieves of the true value of what they've got, as in the case of a couple of stolen laptops at UC Berkeley a while back.
Second, there's a growing market for identity data. Five years ago, this sort of thing was relatively disorganized, but at present, I'm told, an SSN sells for $1.00 to $1.50. So, stealing a single SSN isn't worth much, but if you can get your hands on thousands of them, that's a business. I recently heard from a friend who worked for a virtual hosting company. He said they would regularly have accounts opened on stolen credit card numbers and no sooner did they shut them down, than another stolen card would be used to open another account that was obviously from the same person. Sometimes this would go hundreds of times. Since the accounts were provisioned from overseas, there wasn't much law enforcement could do. Entire criminal enterprises are being run on stolen credit cards.
I'm with Eric on this one. I don't want MasterCard's glib assurances that only a small fraction of the lost cards are high risk. I want them to take steps to protect customer data.