Global Payments Breach Tab: $94 Million

Expenses Linked to Fines, PCI and 2012 Investigation

By Information Security Media Group, January 10, 2013.
Global Payments Breach Tab: $94 Million

Global Payments Inc. says the data breach it revealed in April 2012 has cost the company $93.9 million.

See Also: How Cybercriminals Use Phone Scams To Take Over Accounts and Commit Fraud

In a Jan. 8 quarterly report, the Atlanta-based payments processor says expenses associated with the breach, estimated by Global to have affected 1.5 million payment cards in North America, related mainly to investments the company has made to enhance security and ensure compliance with the Payment Card Industry Data Security Standard (see Global Payments: Breach Exam Complete).

"We hired a qualified security assessor, or QSA, to conduct an independent review of the PCI-DSS compliance of our systems," Global states in its filing. The processor goes on to say that its effort to remediate its systems and processes is "substantially complete," and it hopes to be returned soon to the payment card network list of PCI-DSS compliant service providers. "Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows," Global states.

Global says it has now paid all fines related to non-compliance and has reached resolution with certain card networks, although it did not specify which ones. The processor also says its business has not suffered as a result of the breach.

"The impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial," Global states. "We continue to process transactions worldwide through all of the card networks."

The Breach

Global acknowledged the breach after security blogger Brian Krebs broke news about a hack that affected Global's payments network in late March 2012.

In announcing the breach, Global's CEO Paul Garcia said the breach was "manageable" and that Global was handling the response internally.

Shortly after news of the breach was made public, three separate card-issuing institutions provided BankInfoSecurity with copies of advisories first issued by Visa and MasterCard, confirming the breach occurred sometime between Jan. 21 and Feb. 25, 2012.

But in April 2012, Visa issued an update that warned issuers the breach likely occurred in 2011 and could have affected transactions dating back to June 7, 2011 (see Global Breach: Did It Start in 2011?).

Then, in early May, Visa and MasterCard issued more advisories, suggesting personal information about cardholders may also have been exposed during the Global attack. Initially, Global said only card-verification value codes and card numbers had been breached.

From the outset of the investigation, Global estimated that 1.5 million accounts were exposed by the breach, but news reports suggested the breach could have exposed as many as 7 million accounts.

In June, Global acknowledged it had expanded the number of potentially exposed cards, though it did not say by how many.

In the Jan. 8 filing, Global notes its internal investigation revealed unauthorized access to servers that housed personal information collected from merchants who applied for Global's processing services. But the processor says it could not determine the breadth of that personal data breach.

"We cannot verify those potentially affected, as it is unclear whether any information was exported," the company states. "However, we notified potentially affected individuals and made available credit monitoring and identity protection insurance at no cost."

Breakdown of Breach Costs

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE House Panel Offers Cyberthreat Info-Sharing Bill

Add the Protecting Cyber Networks Act to the growing list of cyberthreat information sharing...

Latest Tweets and Mentions

ARTICLE House Panel Offers Cyberthreat Info-Sharing Bill

Add the Protecting Cyber Networks Act to the growing list of cyberthreat information sharing...

The ISMG Network