Breach Was On Data That Wasn't Supposed To Exist

Late Friday afternoon, MasterCard released the news about how potentially 40 million credit card holders were at risk of having their data stolen, after discovering a hacker had placed a trojan on the computers of a credit card processing company. That was scary enough, but as the details continued to come out over the weekend, the situation just seemed to get worse and worse. Jeremy Wagstaff notes that the processor in question, CardSystems, apparently knew about the breach for nearly a month but claimed they didn't say anything because the FBI asked them not to -- a charge that the FBI denies. Then comes the best part. The NY Times reports that CardSystems wasn't even supposed to have this data. The company processes credit card transactions, but isn't supposed to keep records of the transactions, as per agreements it signed with Visa and MasterCard. However, these days, when it seems to be common practice to play fast and loose with other people's data, CardSystems hung onto all the data, for its own "research" purposes. It looks like those research purposes just caused plenty of problems for an awful lot of people.