Discover Financial Services suffered a data breach providing attackers with an undisclosed amount of customer data which included payment card details such as account numbers, card expiration dates, security codes, etc.
Discover learned about the incident on August 13, 2018. However, the company filed security notices with the California Attorney General's office on January 25, 2019.
According to California state laws, companies who conduct business with California residents are required to file security notices with the Attorney General's office in the event of a data breach or a cybersecurity incident impacting customer data. Moreover, companies have to send and submit a sample of the data breach notice if more than 500 California residents are affected.
Discover card systems not involved in the breach
In the security notices filed with the Attorney General’s Office, Discover confirmed that the breach did not involve Discover card systems.
New cards issued
Discover Financial Services said that it is issuing new cards for all the customers who might have had their card information compromised in the attack.
“We are issuing you a new card with a new security code and expiration date to reduce the possibility of fraud on your account. Remember, if your account does experience fraud, you're never responsible for unauthorized purchases on your Discover card,” the data breach notification read.
Differences in the contents of two sample breach notifications
The two separate sample breach notifications filed with the Attorney General's office indicate that,
Differences were noted in the Automatic Bills section of both the sample notices as well,
Furthermore, one sample stated that the new card will be issued with a new account number, new expiration date, and new security code, while the other sample stated that the new card will only have a new expiration date and new security code.
“We can confirm this incident did not involve any Discover systems and we are forwarding this to the appropriate parties for review. We're aware of a possible merchant data breach & are monitoring accounts. Our members can rest assured they’re never responsible for unauthorized purchases on their Discover card accounts,” Discover replied to BleepingComputer’s tweet.