An undisclosed number of Discover card account holders have learned of a data breach that might have compromised their account information.
According to Bleeping Computer, Discover Financial Services first learned of the security incident on 13 August 2018. The American financial services company subsequently filed data breach notices with the California Attorney General’s office on 25 January 2019. This action complies with California law, which requires companies that engage in business with the state’s residents to file security notices with the Attorney General’s office in event of a data breach and submit copies of those notices if more than 500 Californians receive those notices.
Two sample notices obtained by Bleeping Computer inform recipients that the breach “did not involve Discover card systems.” They clarify that the incident might have exposed users’ account information. But they note that Discover Financial Services doesn’t know exactly which data the event might have affected.
As a precaution, the notices explain that the company has issued the account holder a new card replete with a new security code and expiration date. One of the notices further encourages users to contact certain online retailers, mobile wallet providers and other merchants identified by Discover that bill their cards automatically. The other notice provides a list of other merchants which users don’t need to contact, but it encourages them to contact any other parties they know of that automatically bill their cards.
Bleeping Computer received the following statement from Discover following the publication of its article:
We can confirm this incident did not involve any Discover systems and we are forwarding this to the appropriate parties for review. We’re aware of a possible merchant data breach & are monitoring accounts. Our members can rest assured they’re never responsible for unauthorized purchases on their Discover card accounts….
Those who receive one of these notices from Discover should activate and sign their new card to help keep their account safe. They should also consider setting up fraud alerts on their accounts, reviewing their account statements regularly and taking some simple steps to reduce the risk of identity theft.