Law enforcement officials are investigating what appears to be a massive theft of U.S. consumers' credit card data, MasterCard and Visa confirmed Friday. The computer security expert who first reported the theft said it might involve as many as 10 million accounts, making it one of the largest known credit card heists.
"MasterCard is currently investigating a potential account data compromise event of a U.S.-based entity and, as a result, we have alerted payment card issuers regarding certain MasterCard accounts that are potentially at risk," that association said in a statement. "Law enforcement has been notified of this matter and the incident is currently the subject of an ongoing forensic review by an independent data security organization."
Payment processor Global Payments said late Friday it was the target of the hack.
In a statement, the firm said it "identified and self-reported unauthorized access into a portion of its processing system." Earlier Friday, trading in Global Payments stock had been halted.
"In early March 2012, the company determined card data may have been accessed," the firm said. "It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact. The company is continuing its investigation into this matter."
Paymemt processors -- "middle men" that handles transactions between retailers and banks -- have long been a target of identity thieves because of the enormous amounts of data they control. In 2008, Princeton, N.J.,-based Heartland Systems was hacked, exposing tens of millions of credit card account numbers to theft.
The theft confirmed Friday was first reported by well-known computer security journalist Brian Krebs on his blog, KrebsonSecurity.com. He reported that hackers had access to the then-unknown processor's data from Jan. 21 through Feb. 25, and were able to siphon off enough data to easily create counterfeit cards. His sources called the leak "massive."
Visa, in a statement, also acknowledged the data theft but said its own systems were not hacked.
“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands," the firm said. “Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards."
Gartner security expert Avivah Litan said she's been told that the stolen data is already being used on the street by identity thieves.
"I’ve spoken with folks in the card business who are seeing signs of this breach mushroom. Looks like the hackers have started using the stolen card data more recently," she said.
She's been told that investigators believe the data theft originated in New York City.
"From what I hear, the breach involves a taxi and parking garage company in the New York City area, so if you’ve paid a NYC cab in the last few months with your credit or debit card — be sure to check your card statements for possible fraud," Litan said in her blog post on the topic.
MasterCard said none of its computers were hacked as part of the incident.
"MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information," the association added in its statement. "If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution.... It is important to note that MasterCard's own systems have not been compromised in any manner. "