Mastercard Data Security Incident

Occasionally among the regular news of data breaches, there can be wider implications for the field of information security and data privacy than the usual human cost of loss of privacy, inconvenience and even financial theft. For information security practitioners like myself, it can sometimes go to the core of the issue on how information security is policed and enforced.

Mastercard are one of the five payment brands that was involved in the creation of the Payment Card Industry Data Security Standard (PCI DSS). The payment brands may at their discretion fine acquirers who will pass down fines to merchants for non-compliance or in the event of a data breach. But who takes action against the payment brands if they get things wrong?

The answer is possibly in this case the Data Protection Authorities (supervisory authorities).

So what happened?

The incident was first noticed on August 19th 2019.

The leak involved 90,000 customer names, addresses, dates of birth, gender, contact numbers, email addresses and credit card numbers. Mastercard discovered Microsoft Excel spreadsheets containing this information on the Internet. This appeared to be restricted to its German loyalty program partner Priceless Specials.

This brings the issue of the importance of properly managing third party information security back to the fore. In any Controller/Processor relationship, the Controller can still be held liable if they have not properly ensured that the Processor has adequate technical and organisational measures in place to protect personal data.

There is also provision within the PCI DSS standard on managing third parties who may process payment card data under Requirement 12.8 of the PCI DSS - Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.

It goes without saying that processing plain text PAN in spreadsheets is not an appropriate secure

method of managing or processing payment card numbers nor making this data publicly available (though this was surely unintentional and possibly attributable to human error). This leads to the conclusion that this was not compliant with Article 32 of the GDPR - Security of Processing.

Mastercard have notified the German and Belgian Data Protection Authorities who are now engaged in finding out more about the incident. Mastercard are also continuing their investigation of the incident and offering free credit monitoring and identity theft prevention services to the impacted customers for one year.

In the event of any action being taken by the Data Protection Authorities, the scale of the impact to Mastercard's customers will be taken into consideration as well as how well the organisation responded to the incident, co-operated with the Data Protection Authorities and improvements they have put into place.

The above article reflects the opinion of the author only, based on publicly available information on the incident at the time of publication.