Global Payments Inc. says it has completed its investigation into the data breach it first announced in April. But what the Atlanta-based payments processor uncovered during that investigation remains a mystery.
During a July 26 earnings call, Global Payments CEO Paul Garcia did say that the breach, impacting an estimated 1.5 million payment cards, has so far cost the processor $84.4 million and could cost an additional $25 million to $30 million in 2013. Those charges include expenses to investigate and remediate the breach, as well as an estimate of charges from the card brands impacted by the incident.
But about the breach itself, Garcia said only that Global Payments has made "substantial progress" in its own investigation of what the company refers to as the "data intrusion." Leading off the call with a breach update, Garcia said:
- The internal investigation is complete;
- Global Payments now is "actively executing the remediation plan" resulting from that investigation;
- A qualified security assessor is reviewing these remediation activities, with Global's eye toward being returned to card brands' lists of processors compliant with the Payment Card Industry Data Security Standard.
There was no discussion about whether Global Payments uncovered the specific cause of the breach, what information was taken, how many cards were affected or what exactly the remediation plan entails.
'Bottom of the Second'
Later in the earnings call, in response to questions from analysts, Garcia drew a baseball analogy.
"It's a double-header," Garcia said, and so far Global Payments has completed only game one - its own investigation.
Now the processor is in the middle of game two, working closely with the card brands, which Garcia says are analyzing information collected during the investigation to determine where liability lies for card fraud connected to the breach.
The goal, Garcia said, is for the company to regain its Report on Compliance (RoC, which attests to an organization's PCI compliance) by the end of 2012. "That game is in the bottom of the second," Garcia said.
The attack on Global came to light in late March, after security blogger Brian Krebs reported that the payments network had been hacked. On April 2, Global acknowledged the breach, saying it believed the 1.5 million card numbers that were exported by hackers were confined to North America.
Garcia at the time also said his company deemed the breach to be "manageable," and reiterated that the incident was discovered internally, not by an outside party. "We found this, and we reported it within hours," Garcia said in April.
Based on information three separate card-issuing institutions provided to BankInfoSecurity, the first advisories issued by Visa and MasterCard confined the Global breach to occurring sometime between Jan. 21, 2012, and Feb. 25, 2012.
In April, Visa issued an updated advisory that suggested the breach likely occurred 2011, card issuers say. In that advisory, Visa warned issuers to monitor transactions dating back to June 7, 2011 (see Global Breach: Did It Start in 2011?).
In early May, Visa and MasterCard issued another round of updated advisories connected to Global. One card issuing institution executive affected by the breach said one of those advisories indicated information beyond Track 2 data may have been exposed. Card verification value codes, or CVV2 security codes, which are used in card-not-present transactions, "may be at risk for some accounts," the advisory noted.
Global maintained, however, that only non-sensitive Track 2 card data, which does not include names, addresses or Social Security numbers, was breached.
Though Global has continued to say only 1.5 million accounts were exposed, news reports posted by Krebs and the Wall Street Journal suggest the breach may have exposed as many as 7 million accounts.
In June, Global acknowledged on a microsite it established to provide updates about the breach that it had expanded the number of potentially exposed cards, though it did not say by how many. Global referred to the expansion as a precautionary measure that would allow the major card brands to proactively monitor card activity for potential fraud.
Global at the time also noted that some confidential information collected for underwriting may have been exposed. But that information, it claimed, did not involve personal details linked to individual consumer accounts.
"It is unclear whether the criminals ever even looked at this information, much less took it from our systems," Garcia said during a June 12 investors' call. "It is important to note that the portion of this intrusion related to cardholder information that we announced in April is different from the potential access to personal information we announced yesterday."