Old credit-card breaches still causing headaches for banks, consumers

New card issuances are done to minimize risks associated with past, known card breaches, Citigroup says

When Citigroup's credit card division, out of the blue, sent Massachusetts resident Bill Laberis a replacement MasterCard with a new number and told him to immediately activate it, he got curious.

Laberis called the 800 number and a recording told him "your number is changed because your card was stolen or compromised." He followed up with a Citi representative, who said his personal card hadn't been stolen, but that "hundreds of thousands of cards" are being replaced because credit-card information had been stolen from a database somewhere.

10 of the worst moments in network security history

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

When Citigroup's credit card division, out of the blue, sent Massachusetts resident Bill Laberis a replacement MasterCard with a new number and told him to immediately activate it, he got curious.

Laberis called the 800 number and a recording told him "your number is changed because your card was stolen or compromised." He followed up with a Citi representative, who said his personal card hadn't been stolen, but that "hundreds of thousands of cards" are being replaced because credit-card information had been stolen from a database somewhere.

10 of the worst moments in network security history

The Citi representative didn't say where the massive break-in had occurred -- whether at MasterCard, Citi or anywhere else along the card-processing chain of merchants and vendors -- but merely indicated an investigation was underway, Laberis says.

Sounds like news of yet another giant data breach, right? Not exactly.

Citigroup Tuesday told Network World that there is no new credit-card data breach to report. Rather, new card issuances are done to minimize risks associated with past, known card breaches, Citigroup says, and when reps talk about "massive break-ins," they are generally referring to events that occurred in the past.

For instance, Heartland Payment Systems disclosed in January a 2008 data breach that allowed cybercriminals to tap into 100 million card numbers.

This type of massive data breach takes months to investigate and figure out in detail, industry watchers say. The impact may be felt by some cardholders only after considerable time has passed. If fraud analysis techniques suggest the risk of fraud is on the rise for particular cardholders, banks often take the step of issuing new cards, for example.

In a statement, Citi said: "When we become aware of a data breach, we take appropriate steps, above and beyond our normal prevention and detection actions, on any customer accounts that may have been reported. Our detection actions include the use of Citi's Fraud Early Warning Detection System to monitor accounts, and our prevention actions include notifying some customers who we think may be at increased risk due to suspicious activity." Citi adds that customers are "not liable for any unauthorized use of their accounts."

Dave Collett, a MasterCard spokesman, said MasterCard wasn't aware of any new event associated with a massive card data breach. He explained that larger banks often put accounts on watch when a database breach is known to have occurred, and the card re-issuance process tends to occur in waves over a protracted period of time.

Fortunately for Laberis, the only impact of being issued a new credit card number -- besides the surprise of hearing about a massive data breach -- is that he'll have to make a few changes to the automated bill-paying system he uses that pushes a few payments through the credit card.

Read more about security in Network World's Security section.