Global Payments Inc. says the data breach it revealed in April 2012 has cost the company $93.9 million.
In a Jan. 8 quarterly report, the Atlanta-based payments processor says expenses associated with the breach, estimated by Global to have affected 1.5 million payment cards in North America, related mainly to investments the company has made to enhance security and ensure compliance with the Payment Card Industry Data Security Standard (see Global Payments: Breach Exam Complete).
"We hired a qualified security assessor, or QSA, to conduct an independent review of the PCI-DSS compliance of our systems," Global states in its filing. The processor goes on to say that its effort to remediate its systems and processes is "substantially complete," and it hopes to be returned soon to the payment card network list of PCI-DSS compliant service providers. "Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows," Global states.
Global says it has now paid all fines related to non-compliance and has reached resolution with certain card networks, although it did not specify which ones. The processor also says its business has not suffered as a result of the breach.
"The impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial," Global states. "We continue to process transactions worldwide through all of the card networks."
In announcing the breach, Global's CEO Paul Garcia said the breach was "manageable" and that Global was handling the response internally.
Shortly after news of the breach was made public, three separate card-issuing institutions provided BankInfoSecurity with copies of advisories first issued by Visa and MasterCard, confirming the breach occurred sometime between Jan. 21 and Feb. 25, 2012.
But in April 2012, Visa issued an update that warned issuers the breach likely occurred in 2011 and could have affected transactions dating back to June 7, 2011 (see Global Breach: Did It Start in 2011?).
Then, in early May, Visa and MasterCard issued more advisories, suggesting personal information about cardholders may also have been exposed during the Global attack. Initially, Global said only card-verification value codes and card numbers had been breached.
From the outset of the investigation, Global estimated that 1.5 million accounts were exposed by the breach, but news reports suggested the breach could have exposed as many as 7 million accounts.
In June, Global acknowledged it had expanded the number of potentially exposed cards, though it did not say by how many.
In the Jan. 8 filing, Global notes its internal investigation revealed unauthorized access to servers that housed personal information collected from merchants who applied for Global's processing services. But the processor says it could not determine the breadth of that personal data breach.
"We cannot verify those potentially affected, as it is unclear whether any information was exported," the company states. "However, we notified potentially affected individuals and made available credit monitoring and identity protection insurance at no cost."
Breakdown of Breach Costs
In reporting its costs related to the data breach, Global Payments offers this breakdown of specific expenses and recoveries:
- $60 million for professional fees and other costs associated with the investigation and remediation, incentive payments to certain business partners and costs associated with credit monitoring and identity protection insurance;
- $35.9 million for the total of estimated fraud losses, fines and other charges that will be imposed by the card networks;
- $2 million received for insurance recoveries, based on claims submitted to date.
The total $93.9 million breach expense is substantially less than what Global Payments originally projected. "We based our initial estimate of fraud losses, fines and other charges on our understanding of the rules and operating regulations published by the networks and preliminary communications with the networks," Global states. "We have now reached resolution with and made payments to certain networks, resulting in charges that were less than our initial estimates."
Global notes, however, that resolution has not been reached will all networks, so the amount of fraud losses, fines and other charges associated with the breach could differ from the amount accrued as of Nov. 30. "Currently, we do not have sufficient information to estimate the amount or range of additional possible loss for fraud losses, fines and other charges that will be imposed upon us by those card networks," the company states.
Global says it also expects to incur additional expenses in 2013 related to the investigation, remediation and PCI compliance. "We currently anticipate that such additional costs may be $25 to $35 million in fiscal 2013 (prior to any potential insurance recovery), including the $9.5 million recorded during the six months ended November 30, 2012," the company states. "We anticipate that we may receive additional insurance recoveries of up to $28 million, although the timing of such recoveries is uncertain and such recoveries may not occur in fiscal 2013."