Nearly 1.5 million US Visa and MasterCard accounts have been hacked in a major credit card heist.
The data leak was revealed on Friday, when both companies confirmed that a major theft of U.S. consumers’ credit card data was being investigated.
It was first thought that as many as 10 million customers’ information had been stolen.
The companies, which are the two largest global credit card processors, said the issue stemmed from a third-party vendor, Global Payments, and not their own internal systems.
“Less than 1,500,000 card numbers may have been exported by hackers who had access to the firm’s payment processing system,” Global Payments said in a statement.
“Cardholder names, addresses and social security numbers were not obtained by the criminals.”
However, even without this information, the company admitted that the data taken from each account would be enough to make fraudulent transactions.
It also said hacker access was limited to North America.
Following the news, trading in the company’s shares was halted after they dropping more than 9.1%.
Global Payments said it had “identified and self-reported unauthorized access into a portion of its processing system” and had determined in early March that the intruders might have gained access to credit-card data.
Customers have been urged to check their accounts online or contact their financial institution regarding any concerns they have.
MasterCard said in a statement: “MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information.”
Visa also released a statement saying their customers were victims of data theft, but said its own systems were not hacked.
The company has provided the issuing banks with the affected account numbers and assured customers they would not be responsible for fraudulent purchases.
The companies’ statements came after the blog Krebs on Security reported that MasterCard and Visa have been alerting banks across the U.S. about a “massive” breach that may affect more than ten million cardholders.
Brian Krebs told Technology Live: “Law enforcement asked everyone to keep it quiet so as not to disturb investigations.”
The breach likely occurred at a central aggregation point where card information is calculated, said Avivah Litan, security analyst at Gartner Research.
Avivah Litan believes the data is already being used on the street by identity thieves.
She wrote on her blog: “I’ve spoken with folks in the card business who are seeing signs of this breach mushroom. Looks like the hackers have started using the stolen card data more recently.
“From what I hear, the breach involves a taxi and parking garage company in the New York City area, so if you’ve paid a NYC cab in the last few months with your credit or debit card – be sure to check your card statements for possible fraud.”
Avivah Litan also said that unverified reports point to a Central American gang that broke into the company’s system by answering the application’s knowledge-based authentication questions correctly.
“Looks like the hackers took over an administrative account that was not protected sufficiently.”