70

I was recently informed, by the payment processing agency of my bank, that an online shop was compromised and that as a precaution my MasterCard credit card was frozen and replaced. There was no actual fraudulent charge.

I have inquired with my bank which particular shop was compromised, but was told that they do not receive this information from MasterCard for privacy reasons.

I feel that I am entitled to know where my private information was leaked. It does influence my decisions as a consumer. Further I have to consider that other private information may also have been leaked. The privacy argument seems pretextual.

Is it common to withhold this kind of information from affected customers? Are there any further ways to find out more about what happened?

Note: I was unable to speak to anyone at MasterCard, all attempts were forwarded automatically to the bank.

psmears
  • 184
  • 4
Tari
  • 603
  • 1
  • 5
  • 12

4 Answers4

65

As indicated in comments, this is common practice in the US as well as EU. For example, in this Fox Business article, a user had basically the same experience: their card was replaced but without the specific merchant being disclosed. When the reporter contacted Visa, they were told:

"We also believe that the public interest is best served by quickly notifying financial institutions with the information necessary to protect themselves and their cardholders from fraud losses. Even a slight delay in notification to financial institutions could be costly,” the spokesperson said in an e-mail statement. “Visa works with the breached entity to collect the necessary information and provides payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring, and if needed, reissuing cards. The most critical information needed is the affected accounts, which Visa works to provide as quickly as possible.”

What they're not saying, of course, is that it's in Visa's best interests that merchants let Visa know right away when a leak occurs, without having to think about whether it's going to screw that merchant over in the press. If the merchant has to consider PR, they may not let the networks know in as timely of a fashion - they may at least wait until they've verified the issue in more detail, or even wait until they've found who to pin it on so they don't get blamed.

But beyond that, the point is that it's easier for the network (Visa/Mastercard/etc.) to have a system that's just a list of card numbers to submit to the bank for re-issuing; nobody there really cares which merchant was at fault, they just want to re-issue the cards quickly. Letting you know who's at fault is separate. There's little reason for the issuing bank to ever know; you should find out from the merchant themselves or from the network (and in my experience, usually the former).

Eventually you may well find out - the article suggest that:

[T]he situation is common, but there is some good news: consumers do in many cases find out the source of the breach.

But of course doesn't go into detail about numbers.

Joe
  • 35,939
  • 6
  • 92
  • 129
8

I found a german article describing the legal situation in Germany. To summarize

  • The "Bundesdatenschutzgesetz (BDSG) § 42a Informationspflicht bei unrechtmäßiger Kenntniserlangung von Daten" Roughly Privacy Act: Obligation to inform on illegal obtainment of information governs this situation.
  • Credit card information is explicitly included in the law (§ 42a 4).
  • Condition 1: It needs to be very likely that a third party has obtained the information and the company needs to know that.
  • Condition 2: There needs to be a severe adverse impact on the affected. The risk of assessing this correctly is with the company.
  • The affected must be informed immediately, but only after counter measures are performed and criminal investigation is not endangered.
  • The disclosure must give the affected a hint on the way the information was illegally obtained, and measures to mitigate potential consequences. The affected shall know that and which information leaked to outsiders.
  • If it would not be feasible to inform each affected, in particular because there are too many, they can also inform the public though at least two half-page newspaper advertisements or the like.

As outlined by the many possible reasons in the other answer, it is unclear from the information I have, whether condition 1 holds. Also condition 2 may not hold since the credit card was frozen.

I suppose this makes a good argument to MasterCard and my bank, but I also suspect they will not care unless it comes with a attorney letterhead.

Tari
  • 603
  • 1
  • 5
  • 12
7

Others have already commented on the impact of anything which dissuades merchants from raising possible breaches, so I won't dwell on that. Maybe we need stronger legislation, maybe we don't, but it doesn't change today's answer. Often it works the other way around to what you might expect - rather than the merchant noticing and notifying Visa/MC/others, Visa/MC/others spot patterns of suspicious activity (example 1).

I don't have any data on the relative numbers of who is being notified/notifying between merchants and payment processors, but at the point when your card is identified as compromised there's no reason to suppose that an individual merchant in the traditional sense has been compromised, let alone identified. In fact because there's a fast moving investigation it could even be a false alarm that led to your card getting cancelled. Conversely it could be a hugely complex multinational investigation which would be jeopardised.

It's simply not safe to assume that simply "brand X" has been compromised, therefore everything "brand X" knows about you is also compromised:

  1. They could be separate systems, so only CC info involved
  2. It could be their upstream payment processing contractor (and by implication all other merchants with the same setup, example 2 but think sagepay/worldpay/paypall etc. in the online world)
  3. (Not related to online so much) could be just one franchisee of a large franchise
  4. They may not even know which online shop, simply the type of data attached in a "dump" indicates it's likely to be online, but the only thing known so far is that your card number had shown up somewhere

Furthermore there's no reason to assume the merchant has even admitted to, or discovered the root cause. MC/Visa/Banks, at the point at which they're cancelling cards simply can't say (at least not in a way that might expensively backfire involving lots of lawyers) because the standard of proof needed to go on record blaming someone is simply not yet met.

So: yes it's common that you aren't told anything for all of the above reasons. And of course if you really want to find out more you may have some success with your local data protection legislation and formally make a subject access request (or local equivalent) to see what that brings back. Be sure to do it in writing, to the official address of both mastercard and your bank.

Flexo - Save the data dump
  • 178
  • 7
1

If you really want to know, sue them.

File a John Doe lawsuit, "plaintiff to be determined", and then subpoena the relevant information from Mastercard. John Doe doesn't countersue, so you're pretty safe doing this.

But it probably won't work. Mastercard would quash your subpoena. They will claim that you lack standing to sue anyone because you did not take a loss (which is a fair point).

This is total war. Amy's Waffles is not the enemy.

They are after the people doing the hacking, and the security gaps which make the hacking possible. And how those gaps arise among businesses just trying to do their best. It's a hard problem.

And I've done the abuse wars professionally. OpSec is a big deal. You simply cannot reveal your methods or even much of your findings, because that will expose too much of your detection method. The ugly fact is, the bad guys are not that far from winning, and catching them depends on them unwisely using the same known techniques over and over. When you get a truly novel technique, it costs a fortune in engineering time to unravel what they did and build defenses against it. If maybe 1% of attacks are this, it is manageable, but if it were 10%, you simply cannot staff an enforcement arm big enough - the trained staff don't exist to hire (unless you steal them from Visa, Amex, etc.)

So as much as you'd like to tell the public, believe me, I'd like to get some credit for what I've done -- they just can't say much or they educate the bad guys, and then have a much tougher problem later. Sorry! I know how frustrating it is!

How this might occur - not Amy's fault

The credit card companies hammered out PCI-DSS (Payment Card Industry Data Security Standards). This is a basic set of security rules and practices which should make hacking unlikely. Compliance is achievable (not easy), and if you do it, you're off the hook. That is one way Amy can be entirely not at fault.

Example deleted for length, but as a small business, you just can't be a PCI security expert. You rely on the commitments of others to do a good job, like your bank and merchant account salesman. There are so many ways this can go wrong that just aren't your fault.

As to the notion of saying "it affected Amy's customers but it was Doofus the contractor's fault", that doesn't work, the Internet lynch mob won't hear the details and will kill Amy's business. Then she's suing Mastercard for false light, a type of defamtion there the facts are true but are framed falsely. And defamation has much more serious consequences in Europe.

Anyway, even a business not at fault has to pay for a PCI-DSS audit. A business at fault has lots more problems, at the very least paying $50-90 per customer to replace their cards. The simple fact is 80% of businesses in this situation go bankrupt at this point.

That data breach may not be so bad

Usually fraudsters make automated attacks using scripts they got from others. Only a few dozen attacks (on sites) succeed, and then they use other scripts to intercept payment data, which is all they want. They are cookie cutter scripts, and aren't customized for each site, and can't go after whatever personal data is particular to that site. So in most cases all they get is payment data.

It's also likely that primary data, like a cloud drive, photo collection or medical records, are kept in completely separate systems with separate security, unlikely to hack both at once even if the hacker is willing to put lots and lots of engineering effort into it. Most hackers are script kiddies, able to run scripts others provided but unable to hack on their own.

So it's likely that "none was leaked" is the reason they didn't give notification of private information leakage.

Lastly, they can't get what you didn't upload. Site hacking is a well known phenomenon. A person who is concerned with privacy is cautious to not put things online that are too risky.

It's also possible that this is blind guesswork on the part of Visa/MC, and they haven't positively identified any particular merchant, but are replacing your cards out of an abundance of caution.

Harper - Reinstate Monica
  • 59,009
  • 10
  • 94
  • 199