Discover replaces customer cards following breach at unidentified outside entity

Some Discover Card users are receiving new payment cards in the mail after a data breach exposed financial information, according to two customer notices submitted to the California attorney general’s office.

Discover Financial Services said the breach did not involve its own systems. While the company doesn’t elaborate in the customer notices, a spokesman told CyberScoop it was taking action because of a breach that orignated with a service the company declined to identify.

“We are prohibited from naming the merchant, and I can tell you only that the number is small,” Jon Drummond, Discover’s director of media relations, said via email. “It is not something that we ever report.”

“This incident was the result of a merchant data compromise, and not the result of any action by Discover or an intrusion of our customer information systems. We re-issued cards out of an abundance of caution for our cardholders,” he said.

The two breach notifications differ slightly: some customers are getting cards simply with new security codes and expiration dates, while other customers are being issued new account numbers as well. For the latter group, Discover is advising those customers to also tweak automated billing information for services they pay for using the card.

This does not mean that the affected customers’ payment data was necessarily abused, but the company said it was issuing new cards “to reduce the possibility of fraud.”

The breach occurred on or around Aug. 13, 2018, according to California’s attoney general. The notices were published pursuant to a California law requiring the public disclosure of a breach affecting 500 or more California residents.