The number of potentially affected users is still unknown
Network security and ethical hacking
specialists from the International Institute of Cyber Security reported a
security incident on the Discover card systems, thanks to which malicious users
would have accessed an indefinite amount of users’ personal details, such as
account numbers, expiration dates, and even card security codes.
Even when this kind of security incidents are
common among financial institutions, this is the second time in less than a
year when Discover Financial Services
notifies a data
breach related to the cards of its clients to the California
authorities.
California law states that companies conducting
business with city residents must notify the Attorney General’s office in the
event of a theft of similar data or cybersecurity incidents that may affect customers’
information and privacy. In addition to notifying, companies must send a sample
of the compromised information to the Attorney’s office when the security
incident affects 500 or more Californians, said experts in cybersecurity.
On August 13, the Discover Financial Services
team found that an unspecified number (still not publicly disclosed) of
Discover card accounts could have been part of a data breach; however, the company
stresses that the incident “did not involve the card systems”.
Based on Discover’s comments, network
security specialists believe that the attackers would have obtained the
information by engaging third-party services with access to the Discover
customer’s payment data, or the data could have been for sale in some dark web
forums thanks to the use of data theft malware or to card skimmers installed in
sale points or ATMs.
Discover decided not to disclose the number of
users involved in this incident, although it is known that the company decided
to issue new cards for each of the potentially affected customers.
According to experts in network security, the
Discover incident report mentions that: “A new card will be issued with new
security codes and expiration dates to mitigate the risks of identity fraud or similar
malicious activities. If you find any evidence of fraudulent activity in your
account, you must notify Discover to provide liability for suspicious
activities”.
Discover conducted two data breach notification
processes in the attorney General’s office, implying that in the incident two
or more collections of credit card data were involved, it may also mean that
more than one type of card has been compromised.
