MBNA Mastercard - part of mass compromise

chrisotherwise

I've just been contacted by MBNA who tell me that my Mastercard was part of a "mass compromise". The agent said that they were unable to tell me the name of the compromised retailer as they only received a list of numbers from Mastercard with no further details.... ????

Has anybody else had this? Maybe we could compare recent retailers used to try and narrow it down? Any ideas about other ways I might find out who was compromised?

SammenForLivet2

chrisotherwise wrote: »

I've just been contacted by MBNA who tell me that my Mastercard was part of a "mass compromise". The agent said that they were unable to tell me the name of the compromised retailer as they only received a list of numbers from Mastercard with no further details.... ????

Has anybody else had this? Maybe we could compare recent retailers used to try and narrow it down? Any ideas about other ways I might find out who was compromised?

Did they write or call?

If it was a call, it seems a bit weird - it could be a fraud, did they ask for any details (e.g: Name, Address, DOB, Card Numbers)

chrisotherwise

They sent me a text message. I then called their fraud dept (number printed on my statement) who gave me the information above. I am confident that it is genuine.

imoneyop

It is possible that even Mastercard don't know for sure who was compromised - the card companies will often get lists of cards from the police and other sources that have been found to be in the possession of criminals. They may come from one compromised retailer or many.

SammenForLivet2

chrisotherwise wrote: »

They sent me a text message. I then called their fraud dept (number printed on my statement) who gave me the information above. I am confident that it is genuine.

Are they going to follow up on this case, or did they advise that there issuing a new-card?

I've done a quick search using Google - and the only thing I can find is a compromise in 2012. (http://www.forbes.com/sites/andygreenberg/2012/03/30/millions-of-visa-and-mastercard-accounts-reported-compromised-in-processor-breach/).

To be honest, I doubt that they would tell you the reason or provider behind this issue, since it could cause that provider public damage - when it may not even be their fault (e.g: It could be the retailers card processing merchant), and it could open a lot of legal issues for MBNA.

If you called the number listed on your postal statement, then I presume that this is correct and that you may need to take action.

Personally, I've got over 15+ Prepaid, Credit, Debit and Charge cards, and have not encountered this issue (yet!).

Good luck and sorry I could not help further.

chrisotherwise

The agent said that they had already cancelled the card and a new one would be with me shortly. I've also searched and couldn't find anything obvious online. However I've only used my card a handful of times in the last six months so I don't have a huge number of retailers to choose from.

Hopefully somebody else will come along who has also been contacted and we can compare retailers. I would really like to find out who this is so that I can avoid them until they've tightened up their security.

Thanks for your replies!

msallen

Its been in the news recently that Adobe have been hacked and millions of CC details stolen. Have you bought any software from them?

Atidi

chrisotherwise wrote: »

I've just been contacted by MBNA who tell me that my Mastercard was part of a "mass compromise". The agent said that they were unable to tell me the name of the compromised retailer as they only received a list of numbers from Mastercard with no further details.... ????

Has anybody else had this? Maybe we could compare recent retailers used to try and narrow it down? Any ideas about other ways I might find out who was compromised?

So presumably they have advised that they have cancelled your current card and have already ordered you a new one which should be with you in the next few days.

What does it matter which retailer was involved? If it was a "mass compromise" then it must have been a large retailer. Say it was Tesco or Asda, would that mean you wouldn't shop there again? :huh:

chrisotherwise

Atidi wrote: »

So presumably they have advised that they have cancelled your current card and have already ordered you a new one which should be with you in the next few days.

Correct.

What does it matter which retailer was involved?

It matters a lot.

Online retailers have a duty of care to the customer. They also have to obey the law by being PCI compliant. If they are not compliant then they should be prosecuted. If they are compliant then the PCI rules need to be updated. Either way, such matters should be dealt with openly or we lose all trust for dealing with companies online.

If it was a "mass compromise" then it must have been a large retailer.

Not necessarily. In the past I have worked with relatively small to medium size companies who have held details for hundreds of thousands of customers. Indeed I'd be quite surprised as it was a big company as they tend to have the resource to ensure strict compliance.

Say it was Tesco or Asda, would that mean you wouldn't shop there again? :huh:

Absolutely I wouldn't until I was certain that they'd fixed whatever caused the leak in the first place.

At the moment I know that one of the retailers with whom I shop has been compromised. Unless I can find out which one, I have no option but to trust none of them.

One example of a company that handled this well was Lush Cosmetics. They were hacked a couple of years ago and a large number of credit cards (including mine) were stolen - and used to make purchases around the internet. They immediately held up their hands, took responsibility for the problem and redesigned their web site to be fully secure. They got some flak about this for the first few days - but now they are one of the companies that I trust most online. This "sweep it under the carpet" attitude helps nobody.

chrisotherwise

msallen wrote: »

Its been in the news recently that Adobe have been hacked and millions of CC details stolen. Have you bought any software from them?

Thanks for pointing that one out, unfortunately (or fortunately perhaps) I haven't bought anything from Adobe.

Atidi

chrisotherwise wrote: »

Correct.

It matters a lot.

Online retailers have a duty of care to the customer. They also have to obey the law by being PCI compliant. If they are not compliant then they should be prosecuted. If they are compliant then the PCI rules need to be updated. Either way, such matters should be dealt with openly or we lose all trust for dealing with companies online.

Not necessarily. In the past I have worked with relatively small to medium size companies who have held details for hundreds of thousands of customers. Indeed I'd be quite surprised as it was a big company as they tend to have the resource to ensure strict compliance.

Absolutely I wouldn't until I was certain that they'd fixed whatever caused the leak in the first place.

At the moment I know that one of the retailers with whom I shop has been compromised. Unless I can find out which one, I have no option but to trust none of them.

One example of a company that handled this well was Lush Cosmetics. They were hacked a couple of years ago and a large number of credit cards (including mine) were stolen - and used to make purchases around the internet. They immediately held up their hands, took responsibility for the problem and redesigned their web site to be fully secure. They got some flak about this for the first few days - but now they are one of the companies that I trust most online. This "sweep it under the carpet" attitude helps nobody.

So you don't think whichever large retailer (anyone retailer with hundreds of thousands of customers is large in my book ) was involved would probably be one of the most secure now, having presumably closed whatever open door was available? :cool:

The flak you say Lush Cosmetics received, and which you seem intent on delivering to whichever retailer is involved this time, is presumably why Mastercard are not releasing such details.