Visa and MasterCard issued new alerts on May 15 that suggest the breach at payments processor Global Payments Inc. dates back to January 2011 - an exposure window significantly longer than what was originally reported when news of the breach surfaced in late March.
Two card issuers have confirmed the updated advisories push the breach date back to Jan. 30, 2011. Visa's alerts in March indicated the breach occurred sometime between Jan. 21, 2012, and Feb. 25, 2012. On April 26, an updated advisory from Visa put the suspected intrusion date closer to June 7, 2011. (See Global Breach: Did It Start in 2011?)
Global has maintained that it notified the affected card brands in early March as soon as it identified the breach. But Global has offered no precise information about the breach timeline and indicated on May 14 that it had no comment beyond what was already posted on its website.
Late last week, some sources said the Global breach may have exposed 7 million debit and credit accounts - a significant increase from the 1.5 million Global reported during its April 1 press conference/investors call. (See Is Global's Breach Growing?)
According to Krebs' most recent blog, Union Savings Bank in Connecticut linked debit fraud to a café at a nearby private school. After the bank determined the school was a Global customer, it contacted Visa.
Connecting the Fraud
But connecting fraud links has proven challenging for most card issuers. As the possible exposure window widens, it will get even more challenging.
"January 2011 is what both networks are telling issuers," one affected issuer tells BankInfoSecurity. "Clearly, this is a significant increase, but I have no idea if it makes the grand total 7 million. I can tell you that since these populations are so old, most of the fraud has already been incurred."
Earlier this month, just after Visa and MasterCard issued updated advisories, an executive at another issuer said the expanded timeframe, then thought to go back only to June 2011, had increased the institution's compromised card total by about 50 percent. Now, as a result of the latest alerts, the exposed card pool at this issuer totals about 2,000 accounts.
"We are running the numbers now, but it looks like most of our fraud from the segment was spring 2011," the executive at this issuing institution says.
The fraud the issuer has seen so far has been linked to credit, not debit, accounts, and has primarily been connected to overseas transactions, he adds.
Global's Impact on Issuers
Both issuers say the updated advisories are unquestionably linked to the Global breach. Advisories or alerts from the card brands reference codes. All of the compromises linked to Global have a common code. "These last night were coded the same as the other previous Global populations," one issuer says.
Issuing institutions can expect potential fraud that spans a much greater period of time on a continually expanding number of credit and debit accounts, says Avivah Litan, a fraud analyst at Gartner and one of the first experts to comment about the breach.
"It is highly likely that more than 1.5 million cards were compromised, and that the ramifications for the issuing banks are much larger than indicated by the CEO of Global," she says. "In other words, there is likely to be continuing and significant fraud-attempt activity against the issuing banks."