Banks Alerted to Massive Card BreachProcessor Confirms Breach; Could Impact 10 Million Accounts
A data breach at payments processing firm Global Payments Inc. may have compromised payment card information from multiple major card brands.
See Also: Ransomware: The Look at Future Trends
MasterCard and Visa are warning card-issuing institutions about the breach that could prove to be the largest incident since the Heartland Payment Systems breach. [See Heartland CEO on Breach Response.]
First reported by security blogger Brian Krebs, this latest breach could potentially affect more than 10 million cards, Krebs says.
According to Krebs, Visa and MasterCard started alerting institutions last week about cards compromised by a processor breach. "The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012, and Feb. 25, 2012," Krebs writes. "The alerts also said that full Track 1 and Track 2 data was taken - meaning that the information could be used to counterfeit new cards."
Global Payments Statement
In a statement issued March 30, Global Payments says it "identified and self-reported unauthorized access into a portion of its processing system. In early March 2012, the company determined card data may have been accessed. It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact. The company is continuing its investigation into this matter."
Global Payments processes billions of payment card, check, and e-commerce transactions annually for more than 1 million global merchant locations worldwide.
Trading of Global Payments stock was halted midday March 30 after the stock had dropped 9.1 percent, according to multiple news reports.
Visa, MasterCard Comments
In a statement, Visa said it was "aware of an announcement from Global Payments Inc. that it experienced unauthorized access into a portion of its processing system that may have exposed payment card information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet."
The Visa statement added: "Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.
"It's important for U.S. Visa consumer cardholders to know they are protected against fraudulent purchases with Visa's zero liability fraud protection policy, which exceeds federal safeguards," Visa says. "Additional consumer security tips are available at www.VisaSecuritySense.com."
MasterCard says it has alerted card issuers that could be at risk as a result of the incident.
"MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced, and we continue to both monitor this event and take steps to safeguard account information," the card brand says. "Law enforcement has been notified of this matter, and the incident is currently the subject of an ongoing forensic review by an independent data security organization. It is important to note that MasterCard's own systems have not been compromised in any manner."
One source at a major U.S. card-issuing institution confirms to BankInfoSecurity that its cards have been hit.
"We have been working on this since last Friday," says the source, speaking on condition of anonymity. "I believe the compromise window Visa provided of Jan. 21-Feb. 25 is very thin, as we are seeing similar fraud trends on cards not reported as part of this window. In speaking with a different processor contact, from what they are seeing, they agree."
The Global Payments breach appears to be the largest processor breach since Heartland, which in 2008 was hit by the now notorious hacker Albert Gonzalez. That incident led to the compromise of 130 million U.S. debit and credit cards. (See companion story about major card breaches.)
John Buzzard, who monitors card fraud for FICO's Card Alert Service, says no PIN data appears to have been captured, pointing to a processor-level breach.
"I trust the expertise of MasterCard and Visa on this," he says. "A processor-level breach would normally involve high volumes of cards and multiple merchants, with the commonality being a single processor. ... I hope they are looking for a common processor and not a common merchant. It just seems that the accuracy of their [the issuers'] analysis would be much more effective that way."
Gartner fraud analyst Avivah Litan, in a blog entry, says card issuers are seeing signs of what she calls "this breach mushroom."
Litan also says it appears the hackers who overtook the processor got in via an administrative account, correctly answering the system's knowledge-based authentication questions. "Knowledge-based authentication should not be relied upon," she says.
Beyond the authentication piece, experts raise serious questions about whether Global Payments was in compliance with the Payment Card Industry Data Security Standard.
"Although I think we need to wait until all the facts are in, we all know that PCI is a minimum level of security, not a maximum," says Wendy Nather, a director at 451 Research. "QSA assessments can also vary in quality and thoroughness, but it would be interesting to find out whether any 'shortcuts' were taken, or the certification influenced, given the possible size of the processor."
News Editor Howard Anderson and Associate Editor Jeffrey Roman contributed to this report.