States demand cardholders get notice of security breach
A group of 44 state attorneys general demanded yesterday that CardSystems Solutions immediately notify all consumers affected by the security...
Seattle Times business reporter
A group of 44 state attorneys general demanded yesterday that CardSystems Solutions immediately notify all consumers affected by the security breach that exposed roughly 40 million accounts handled by the credit-card processor.
Considered among the largest card security breaches ever, the theft of data last month from CardSystems' Tucson, Ariz., operations center has yet to be fully explained.
The letter asks that Atlanta-based CardSystems explain the breach, outline steps it is taking to mitigate consumer injury and offer a plan to ensure it does not happen again.
"We call upon your company to do the responsible thing and notify all affected consumers immediately," the letter said.
Some Seattle cardholders began receiving letters last week from banks and credit unions that had learned which of their customers were affected. The banks got the information through Visa and MasterCard, which apparently obtained it from CardSystems.
But it is unclear whether all financial institutions plan to tell customers if their credit-card information was exposed.
A Bank of America spokeswoman last week declined to say whether in this case the bank is going beyond its usual fraud-monitoring procedures, which include contacting cardholders if it sees the potential for misuse.
Washington Attorney General Rob McKenna's office said it is CardSystems' job to inform customers.
"We're trying to find out if they have the capability to contact all the consumers directly, but we believe it's their responsibility to do so," said spokeswoman Janelle Guthrie.
McKenna proposed and wrote the letter. It was signed by attorneys general of 43 other states, the District of Columbia, American Samoa, the Northern Mariana Islands and Puerto Rico.
The letter also asks CardSystems to disclose how many consumers in each state were affected, and gives the company a deadline of July 25 to respond.
McKenna's office sent CardSystems a less strongly worded letter early last week, Guthrie said.
"The previous letter gave them the benefit of the doubt that they might already have been contacting people," she said.
That letter gave CardSystems a deadline of tomorrow. The attorney general's office had not heard from the company as of yesterday afternoon.
McKenna also sent letters last week to MasterCard and Visa asking how the security breach came to light and what steps they are taking to mitigate consumer injury, including any efforts to notify Washington cardholders of the breach.
Melissa Allison: 206-464-3312 or firstname.lastname@example.org