Exposed data included holder names, banks and account numbers. No Social Security numbers, birth dates or other personal information were stored on the accounts.
Roughly 13.9 million cards were of the MasterCard brand, said MasterCard, which pinpointed the breach at CardSystems, an Atlanta-based company that processes transactions between financial services firms and merchants. Visa and American Express also said data was exposed through CardSystems.
MasterCard said in a statement that it used fraud-fighting tools to identify the breach, which could have allowed a perpetrator to access cardholder data on the CardSystems computer network. A security team then worked with CardSystems to neutralize the vulnerabilities in the systems.
CardSystems said in a statement it alerted the FBI to the possibility of a security gaffe in May. The processing company then installed new security gear to ensure all systems were secure and solicited a third party to validate systems security.
''We understand and fully appreciate the seriousness of the situation,'' CardSystems said in a statement. ''Our goal is to cooperate fully with the FBI to complete the investigation and ensure that we do nothing that might compromise the investigation.''
While CardSystems has attempted to boost its security, MasterCard said it is giving the third-party processor a limited amount of time to comply with MasterCard security requirements.
The Purchase, N.Y., credit card purveyor also notified its customer banks of specific card accounts that may have been subject to compromise.
The company also reiterated its desire to have Congress enact a wider application of Gramm-Leach-Bliley act, which includes provisions to protect consumers' personal financial information held by financial institutions.
GLBA only applies to financial institutions that service consumers, including MasterCard. MasterCard said it would like Congress to extend that application to include any entity, such as third party processors like CardSystems that store consumer financial information.
Such breaches are anything but new. The difference is that there have been plenty of high-profile data exposure cases of late, throwing more light on the issue.
Recently, UPS lost data storage tapes containing the personal information of 3.9 million customers serviced by CitiFinancial. Bank of America and Time Warner had similar cases earlier this year.
The Senate is considering legislation that would provide consumers with notice that their personal data may have been exposed. California's similar law already mandates such notices.
This article was first published on internetnews.com.