The number of potentially affected users is still unknown
Network security and ethical hacking specialists from the International Institute of Cyber Security reported a security incident on the Discover card systems, thanks to which malicious users would have accessed an indefinite amount of users’ personal details, such as account numbers, expiration dates, and even card security codes.
Even when this kind of security incidents are common among financial institutions, this is the second time in less than a year when Discover Financial Services notifies a data breach related to the cards of its clients to the California authorities.
California law states that companies conducting business with city residents must notify the Attorney General’s office in the event of a theft of similar data or cybersecurity incidents that may affect customers’ information and privacy. In addition to notifying, companies must send a sample of the compromised information to the Attorney’s office when the security incident affects 500 or more Californians, said experts in cybersecurity.
On August 13, the Discover Financial Services team found that an unspecified number (still not publicly disclosed) of Discover card accounts could have been part of a data breach; however, the company stresses that the incident “did not involve the card systems”.
Based on Discover’s comments, network security specialists believe that the attackers would have obtained the information by engaging third-party services with access to the Discover customer’s payment data, or the data could have been for sale in some dark web forums thanks to the use of data theft malware or to card skimmers installed in sale points or ATMs.
Discover decided not to disclose the number of users involved in this incident, although it is known that the company decided to issue new cards for each of the potentially affected customers.
According to experts in network security, the Discover incident report mentions that: “A new card will be issued with new security codes and expiration dates to mitigate the risks of identity fraud or similar malicious activities. If you find any evidence of fraudulent activity in your account, you must notify Discover to provide liability for suspicious activities”.
Discover conducted two data breach notification processes in the attorney General’s office, implying that in the incident two or more collections of credit card data were involved, it may also mean that more than one type of card has been compromised.