Lost in cyberspace

MasterCard International announced on June 17 that up to 40 million credit-card accounts had become exposed to fraud after computer hackers stole account information from a credit-card payment processor. MasterCard accounts made up 13.9 million of those exposed, while Visa accounts made up about 20 million. American Express cards and Discover cards may also have been exposed, as have cardholders as far away as Japan and Hong Kong.

Jessica Antle, spokeswoman for MasterCard International Inc., says only 68,000 of the 13.9 million exposed MasterCard accounts were at "higher levels of risk," and the risk to those was for fraudulent charges on existing cards, not identity theft. "Social Security numbers, dates of birth, information like that are not stored on your credit card' and were not exposed to theft, she said. Overall, about 200,000 accounts fall in the high-risk category.

Who is at fault? Other than the hackers themselves, the problem seems to lie with CardSystems Solutions Inc. The Atlanta-based company processes credit-card transactions and, in breach of contracts with Visa and MasterCard, was storing cardholder information for "research purposes."

"CardSystems provides services and is supposed to pass that information on to the banks and not keep it," MasterCard official Joshua Peirez told The New York Times. "They were keeping it." Since CardSystems doesn't have the internal safeguards that MasterCard and Visa have, the stored records were at greater risk of a security breach.

The FBI is investigating the theft, but in the meantime, cardholders are not powerless in the face of fraud. The most important thing they can do, say experts, is closely monitor their credit-card statements-either when the statements come in the mail or more frequently online-and contact their credit-card company if a fraudulent charge appears.

On the broader issue of identity theft, Americans are gaining new tools to protect themselves. By September, all Americans will be able to receive a free copy of their credit report each year (see below).

A person who has lost his wallet or otherwise may be a potential victim of identity theft can also request a 90-day fraud alert from the three credit-reporting bureaus. With a fraud alert in place, lenders have to call the person and obtain approval before a credit account can be opened in his name. With a police report or other evidence of potential identity theft, the fraud alert can be extended to seven years.

Depending on where you live, you may also be eligible for a "credit freeze." In states with credit-freeze laws, a person can freeze his credit so that no new accounts or loans can open in his name at all. The downside is that it can take several days to lift the freeze when a person wants to obtain a credit card, buy a car, or refinance a mortgage.

Credit-freeze laws (some of which limit freezes to identity-theft victims) are in effect in Colorado, California, Louisiana, Maine, Texas, Washington, and Vermont, and 22 other states are considering similar laws. To contact credit-reporting bureaus: Equifax 888-766-0008 Credit Information Services P.O. Box 740241 Atlanta, GA 30374 www.equifax.com Experian 888-397-3742 P.O. Box 2002 Allen, TX 75013 www.experian.com TransUnion 800-680-7289 P.O. Box 2000 Chester, PA 19022 www.transunion.com To obtain free copies of your credit reports, go to: www.annualcreditreport.com or call: 877-322-8228. You can also write to: Annual Credit Report Request Service P.O. Box 105283 Atlanta, GA 30348-5283