A data breach at Discover Financial Services has potentially provided attackers with access to an undisclosed amount of customer information, although anything from account numbers and expiration dates to security codes might have been stolen.
Although these types of data breaches are not uncommon for financial institutions, this is only the second time a data breach involving customers' cards has been reported during 2018 by Discover Financial Services to the California Attorney General.
According to California's law, companies who conduct business with California residents are required to file security notices with the Attorney General's office in the event of a data breach or a cybersecurity incident impacting customer data. Moreover, firms have to send and submit a sample of the data breach notice that is sent if more than 500 California residents are affected.
Discover Financial Services learned that on August 13, 2018, an undisclosed number of Discover card accounts might have been part of a data breach according to sample notices filed on January 25, 2019, with the California Attorney General's office. However, according to the same notices, "Please know, this breach did not involve Discover card systems."
Discover provided no information on the number of customers affectedThis would imply that the card information has either been stolen by attackers from third parties who had the payment details of Discover customers stored on systems that were compromised or that the Discover card data was found up for sale on the black market, possibly stolen using skimmers or data-stealing malware.
Although there is no info regarding the number of individuals affected by this data breach, Discover chose to issue new cards for all the customers that might have had their card information swiped in the attack.
Notice of data breachDiscover's breach notification says that "We are issuing you a new card with a new security code and expiration date to reduce the possibility of fraud on your account. Remember, if your account does experience fraud, you're never responsible for unauthorized purchases on your Discover card."
Furthermore, the two separate sample breach notifications which were filed with the Attorney General's office hint at either two collections of card data being found or at two types of cards being involved in the data breach.
The two breach notification are also different when it comes to the "Automatic Bills" section, with one saying that "there's no need to contact the merchants we've listed below" while also stating that the ones not listed should be contacted. The other one suggests the customers get in touch with a pre-defined list of merchants who bill their cards automatically.
Automatic Bills sectionsThe other difference between the two notification samples is that only some of the customers who were affected have also been issued a card with a new account number.
Reset card informationBleepingComputer contacted Discover Financial Services asking for more details regarding the data breach, but did not receive an answer prior to publication. We will update if that changes.
Update 1/28/19 9:16 PM EST:
Discover issued a statement by replying to our tweet:
"We can confirm this incident did not involve any Discover systems and we are forwarding this to the appropriate parties for review. We're aware of a possible merchant data breach & are monitoring accounts. Our members can rest assured they’re never responsible for unauthorized purchases on their Discover card accounts. *Shawni"
source
