- The compromised customer data includes payment card details such as account numbers, card expiration dates, security codes etc.
- Discover Financial Services is issuing new cards for all the customers who might have had their card information compromised in the attack.
Discover Financial Services suffered a data breach providing attackers with an undisclosed amount of customer data which included payment card details such as account numbers, card expiration dates, security codes, etc.
Discover learned about the incident on August 13, 2018. However, the company filed security notices with the California Attorney General's office on January 25, 2019.
According to California state laws, companies who conduct business with California residents are required to file security notices with the Attorney General's office in the event of a data breach or a cybersecurity incident impacting customer data. Moreover, companies have to send and submit a sample of the data breach notice if more than 500 California residents are affected.
Discover card systems not involved in the breach
In the security notices filed with the Attorney General’s Office, Discover confirmed that the breach did not involve Discover card systems.
- This implies that the card information could have been stolen by attackers from third parties who had the card details of Discover customers stored on systems that were compromised. (or)
- Discover card data could have been put up for sale on the black market, which would have been stolen using skimmers or information-stealing malware.
New cards issued
Discover Financial Services said that it is issuing new cards for all the customers who might have had their card information compromised in the attack.
“We are issuing you a new card with a new security code and expiration date to reduce the possibility of fraud on your account. Remember, if your account does experience fraud, you're never responsible for unauthorized purchases on your Discover card,” the data breach notification read.
Differences in the contents of two sample breach notifications
The two separate sample breach notifications filed with the Attorney General's office indicate that,
- Two collections of card data being involved in the breach (or)
- Two types of cards being involved in the breach
Differences were noted in the Automatic Bills section of both the sample notices as well,
- Automatic bill section of one notice said that "there's no need to contact the merchants we've listed below", while also stating that the ones not listed should be contacted.
- The other one suggested affected customers to get in touch with a pre-defined list of merchants who bill their cards automatically.
Furthermore, one sample stated that the new card will be issued with a new account number, new expiration date, and new security code, while the other sample stated that the new card will only have a new expiration date and new security code.
“We can confirm this incident did not involve any Discover systems and we are forwarding this to the appropriate parties for review. We're aware of a possible merchant data breach & are monitoring accounts. Our members can rest assured they’re never responsible for unauthorized purchases on their Discover card accounts,” Discover replied to BleepingComputer’s tweet.