Cyber Incident Victim: Discover Financial Services

On August 13, 2018, Discover Financial Services identified a potential compromise of customer payment card data, though the breach was not publicly disclosed until sample notifications were filed with the California Attorney General’s office on January 25, 2019. The incident did not involve Discover’s own systems, indicating that card information was likely obtained through third-party sources such as compromised merchant systems, skimming devices, or black market sales. Exposed data included account numbers, expiration dates, and security codes—sufficient details to enable fraudulent transactions. While California law mandated notification due to impacts on over 500 state residents, Discover did not disclose the total number of affected customers nationwide. The company initiated card replacements for all potentially compromised accounts, issuing new cards with updated expiration dates and security codes to mitigate fraud risks. Discover emphasized its zero-liability policy for unauthorized purchases in breach notifications sent to customers.

Two distinct sample notifications submitted to California authorities suggested variations in the breach’s scope or card types involved. One notification instructed customers to contact specific merchants managing automatic bill payments, while the other advised reaching out only to unlisted merchants. Additionally, only a subset of affected customers received cards with entirely new account numbers, implying differing risk assessments for portions of the exposed data. Discover confirmed ongoing monitoring of accounts and collaboration with third parties following external inquiries about the incident. The company reiterated that its internal systems remained secure throughout the event, shifting focus to external compromise vectors. No further technical details regarding attack methods, data exfiltration pathways, or identity of responsible parties were disclosed in available reports.