Global Payments Inc., an Atlanta-based payments processor, says it is closing its investigation of a data breach it discovered in March 2012 that exposed an estimated 1.5 million U.S. debit and credit cards.
The company also reports that a breach-related class-action lawsuit filed in April 2012 was dismissed March 6. The lawsuit claimed the processor had failed to maintain reasonable and adequate procedures to protect cardholders' personally identifiable information.
In its earnings report for the quarter ended Feb. 28, the company says its network and systems have been confirmed compliant and secure, and that all lingering expenses linked to the breach have been paid.
"Global Payments Direct Inc., our primary operating entity, has been returned to the list of PCI-DSS [Payment Card Industry Data Security Standard] compliant service providers, and we have received reports on compliance covering all of our systems that process, store, transmit or otherwise utilize card data," the report states.
Reinstating a good PCI standing required investment, Global adds.
"As a result of this event, certain card networks removed us from their list of PCI-DSS compliant service providers," Global says. "Our work to remediate our systems and processes is complete. We hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI-DSS compliance of our systems. Our QSA completed the evaluation of our remediation work."
Breach Costs Less Than Expected
The processor now reports that expenses linked to the breach were lower than what the company had previously estimated.
In January, Global estimated the 2012 breach would result in $93.9 million in expenses.
But the company has since determined that expenses associated with the breach totaled $92.7 million, $8.3 million of which were recorded during the nine months that ended Feb. 28.
"We based our initial estimate of fraud losses, fines and other charges on our understanding of the rules and operating regulations published by the networks and preliminary communications with the networks," Global says. "We have now reached resolution with the networks and made payments to certain networks, resulting in charges that were less than our initial estimates."
- $77.1 million for the investigation and remediation, incentive payments to business partners, and credit monitoring and ID theft insurance provided to affected consumers.
- $35.6 million for total fraud losses, including fines and other charges imposed by the card brands.
But Global recuperated $20 million of its losses through insurance recoveries, with $18 million of those recoveries recorded during first quarter of fiscal 2013, the report states. "The three months ended Feb. 28, 2013, resulted in a net credit of $1.2 million for total processing system intrusion costs for the quarter," the company says in its report.
As a result of those recoveries, Global says it reduced its accrual for fraud losses, fines and other charges by $31.8 million during the nine months ended Feb. 28.
So far, Global has not experienced a material revenue loss related to the breach, but the company notes that the breach and related remediation efforts could have a negative impact on future revenue.
In announcing the breach, Global's CEO Paul Garcia said the breach was "manageable" and that Global was handling the investigation internally.
Three separate card-issuing institutions provided BankInfoSecurity with copies of advisories first issued by Visa and MasterCard, confirming the breach occurred sometime between Jan. 21 and Feb. 25, 2012.
In April 2012, Visa issued an update that warned the breach likely occurred in 2011 and could have affected transactions dating back to June 7, 2011 (see Global Breach: Did It Start in 2011?).
In early May 2012, the card brands issued more advisories, suggesting personal information about cardholders also may have been exposed during the attack.
On Jan. 8, Global acknowledged its internal investigation revealed unauthorized access to servers housing personal information collected from merchants who applied for Global's processing services. But the processor says it could not determine the breadth of that personal data breach.