Global Closes Breach Investigation

Processor Says Expenses Less Than Originally Reported

By , April 15, 2013.
Global Closes Breach Investigation

Global Payments Inc., an Atlanta-based payments processor, says it is closing its investigation of a data breach it discovered in March 2012 that exposed an estimated 1.5 million U.S. debit and credit cards.

See Also: Secure E-Banking: Consumer-Friendly Strong Authentication

The company also reports that a breach-related class-action lawsuit filed in April 2012 was dismissed March 6. The lawsuit claimed the processor had failed to maintain reasonable and adequate procedures to protect cardholders' personally identifiable information.

In its earnings report for the quarter ended Feb. 28, the company says its network and systems have been confirmed compliant and secure, and that all lingering expenses linked to the breach have been paid.

"Global Payments Direct Inc., our primary operating entity, has been returned to the list of PCI-DSS [Payment Card Industry Data Security Standard] compliant service providers, and we have received reports on compliance covering all of our systems that process, store, transmit or otherwise utilize card data," the report states.

Reinstating a good PCI standing required investment, Global adds.

"As a result of this event, certain card networks removed us from their list of PCI-DSS compliant service providers," Global says. "Our work to remediate our systems and processes is complete. We hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI-DSS compliance of our systems. Our QSA completed the evaluation of our remediation work."

Breach Costs Less Than Expected

The processor now reports that expenses linked to the breach were lower than what the company had previously estimated.

In January, Global estimated the 2012 breach would result in $93.9 million in expenses.

But the company has since determined that expenses associated with the breach totaled $92.7 million, $8.3 million of which were recorded during the nine months that ended Feb. 28.

"We based our initial estimate of fraud losses, fines and other charges on our understanding of the rules and operating regulations published by the networks and preliminary communications with the networks," Global says. "We have now reached resolution with the networks and made payments to certain networks, resulting in charges that were less than our initial estimates."

Expenses included:

  • $77.1 million for the investigation and remediation, incentive payments to business partners, and credit monitoring and ID theft insurance provided to affected consumers.
  • $35.6 million for total fraud losses, including fines and other charges imposed by the card brands.

But Global recuperated $20 million of its losses through insurance recoveries, with $18 million of those recoveries recorded during first quarter of fiscal 2013, the report states. "The three months ended Feb. 28, 2013, resulted in a net credit of $1.2 million for total processing system intrusion costs for the quarter," the company says in its report.

As a result of those recoveries, Global says it reduced its accrual for fraud losses, fines and other charges by $31.8 million during the nine months ended Feb. 28.

So far, Global has not experienced a material revenue loss related to the breach, but the company notes that the breach and related remediation efforts could have a negative impact on future revenue.

The Breach

Global acknowledged its breach early in April 2012 after security blogger Brian Krebs broke news about a hack that affected Global's network.

In announcing the breach, Global's CEO Paul Garcia said the breach was "manageable" and that Global was handling the investigation internally.

Three separate card-issuing institutions provided BankInfoSecurity with copies of advisories first issued by Visa and MasterCard, confirming the breach occurred sometime between Jan. 21 and Feb. 25, 2012.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE PCI: 5 New Security Requirements

Five best practices noted in version 3.0 of the PCI Data Security Standard will become requirements...

Latest Tweets and Mentions

ARTICLE PCI: 5 New Security Requirements

Five best practices noted in version 3.0 of the PCI Data Security Standard will become requirements...

The ISMG Network