MasterCard Inc.andVisa Inc.warned Friday that some of the data in their cardholder accounts may have been breached.
The companies don't directly issue credit cards – they process card transactions for the banks that do. MasterCard said that it had notified banks – as well as law enforcement – of a potential problem with a third party, "U.S.-based entity."
An independent data security organization is conducting a forensic review, MasterCard said. The company's own systems haven't been compromised. Visa said the same.
"MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information," the company said in a statement without specifying how many cards may be at risk.
Visa said in a statement that it had handed over affected account numbers to card issuers who would, if necessary, reissue cards. Cardholders won't be held responsible for fraudulent purchases, Visa said.
Earlier, the blog Krebs on Security wrote that MasterCard and Visa have told banks that the "major breach" could involve more than 10 million card numbers compromised between Jan. 21 and Feb. 25. The post noted that the affected information could be used to make counterfeit new cards.
The Privacy Rights Clearinghouse, a San Diego nonprofit organization, tallied more than 535 data breaches last year involving more than 30.4 million sensitive records. The organization, which publishes a chronology of known data breaches, said it has added up an "alarming" total of 543 million compromised records in the United States since 2005.
Director Beth Givens said that number was only a "sampling." Not all data breaches come to the attention of news organizations, she said, and many states have no requirement that companies report breaches to an official clearinghouse.