Your credit card number: it’s everywhere you don’t want it to be

You should call your bank/credit card company and find out if your card was one of the ones recently stolen. This CNET article left me shaking my head for a few reasons:

The data security breach, possibly the largest to date, happened because intruders were able to exploit software security vulnerabilities to install a rogue program on the network of CardSystems Solutions, MasterCard International spokeswoman Jessica Antle said. The program captured credit card data, she said.

“install rogue program” is code-word for “some dumb*ss let a trojan horse get installed”.

The probe also found that the Atlanta-based payment processor did not meet MasterCard’s security regulations. CardSystems held onto records that it should have discarded, and it stored transaction data in unencrypted form, Antle said.

Now, whose fault is it that CardSystems continued (and continues) to operate? I caught a GMSV article quoting CEO John Perry that they retained all those excess records for “research” purposes? Research on what? To sell to whom? WTF!

MasterCard declined to disclose more information on the breach, citing an ongoing investigation by the FBI.

Oh, that’s nice. How convenient.

The data processor’s Web site runs on Microsoft’s Windows 2000 operating system and IIS Server 5.0, which has fueled speculation that its other set-ups may also be Microsoft-based.

So, what, did they forget to install a service pack or “security” update?

Now comes the really scary part:

MBNA, one of the largest U.S. credit card issuers, said it has received information from CardSystems about exposed customer accounts. The company won’t contact the individuals affected but is keeping a close eye on the compromised accounts, said Jim Donahue, an MBNA spokesman.

Well, isn’t that special? They won’t even tell their customers that their cards have been stolen. Is that to protect the innocent, help the FBI, or just not have to deal with freaking out their customers because they’ve contracted with a loser organization?

Lest we think that CardSystems is the only loser in the group let me remind you:

Two weeks ago, CitiFinancial said tapes containing unencrypted information on 3.9 million customers were lost by the United Parcel Service while in transit to a credit bureau. …data leaks have been reported by Bank of America and Wachovia, data brokers ChoicePoint and LexisNexis, and the University of California at Berkeley and Stanford University.

Clearly, a new way of doing this has to be done. We simply can’t trust that those that hold the data can responsibly treat it.

Call your bank.