An unknown number of accounts belonging to Discover Financial Services Inc. have been stolen, according to a filing from the company with the State of California.

First reported Monday by Bleeping Computer, Discover said in the filing that it had detected a data breach on Aug. 13.

The filing, which is required under California law when a data breach affects more than 500 residents of the state, provides very little in the way of details. Discover did say in the filing that it was issuing new cards with new security codes and expiration dates to those affected “to reduce the possibility of fraud.”

Discover claimed it was not directly hacked. “We can confirm this incident did not involve any Discover systems and we are forwarding this to the appropriate parties for review,” the spokesperson for Discover said. “We’re aware of a possible merchant data breach and are monitoring accounts. Our members can rest assured they’re never responsible for unauthorized purchases on their Discover card accounts.”

Anthony James, chief strategy officer at CipherCloud Inc., told SiliconANGLE that Discover’s breach is quite typical of financial firms and credit processors these days.

“In today’s environment attackers will get into your networks — that’s a fait accompli,” James said. “We also expect that it will take months even before a card processor such as Discover is even aware of the intrusion and possible breach. What we don’t expect to hear is that the databases and credit card data are, amazingly, unencrypted.”

Colin Bastable, chief executive officer of Lucy Security Inc., noted that outside firms are the chief information security officer’s Achilles’ heel.

This case “appears to be a classic case of a third party’s failure to protect Discover Card customer data,” Bastable said. “The costs for Discover will be a rounding error, and have already been built into their Q4 provisions, which are up 18 percent over Q4 2017. The 176 million card-carrying U.S. consumers are generally inured to the consequences of these breaches – between them, they have some 985 million credit and store cards, and the card issuers are very good at shipping out replacement cards.”

Felix Rosbach, product manager at comforte AG, noted that payment card data is some of the most sensitive because fraud is easy to commit with it.

“It’s crucial to protect sensitive data over the entire data lifecycle – from the POS device to processing to backup,” Rosbach said. “Implementing data-centric security, which means protecting data at the earliest possible point and deprotecting it only when absolutely necessary, is the only way forward.”

Image: Discover