MasterCard said Saturday that 68,000 of its own account numbers were especially at risk because they were in a file found to have actually been “exported from the system.” CardSystems said yesterday that the file also contained data from other cards in proportion to the volume of business it handles from each company. That would translate to about 100,000 Visa accounts and roughly 30,000 others [...]
An official of the company in question, CardSystems Solutions, has admitted that the company should not have been in possession of the information that was stolen in the first place — retaining such data is a violation of Visa and MasterCard policy, which prompts one to wonder about CardSystems Solutions’ decision to violate established security policy by retaining the data for what it calls “research” purposes.
Whatever the case, there is little doubt that this breach will heighten the speculation among policymakers about the effectiveness of many of the current security policies employed in the commercial sector. Many privacy advocates will also see this incident as further evidence of the ineffectiveness of industry self-regulation in general.
The article also points out that the compromised information was not encrypted. We’ve wondered in this space before why it isn’t simply standard operating procedure to encrypt data like credit card account information, Social Security numbers, and other sensitive personal information. Sound, well-implemented encryption could certainly lessen the potential for harm when data breaches do occur. Indeed, the California law which is largely responsible for the recent string of data breach notifications, even includes an exemption if the data that is breached is encrypted: