Some sources now say the data breach at Global Payments Inc., revealed in March, may have exposed 7 million accounts - a significant increase from the 1.5 million the payments processor first reported.
But connecting all the fraud dots back to Global has proven challenging for card issuers.
The Wall Street Journal and Brian Krebs, the fraud blogger who on March 30 broke the news of the breach, report that the number of cards exposed could exceed 7 million, based on information they've gathered from sources close to the case.
According to Krebs' most recent blog, Danbury, Conn.-based Union Savings Bank linked debit fraud to a café at a nearby private school. After the bank determined the school was a Global customer, it contacted Visa.
The blog also notes other debit accounts affected by the breach were compromised in fraudulent transactions at retailers in Las Vegas and that Safeway-branded prepaid cards, re-encoded with stolen debit numbers, had been traced back to the fraudulent transactions.
USB has suffered losses totaling $75,000 in fraudulent charges and has spent $10,000 reissuing cards, Krebs reports.
Executives at three payment card issuing institutions, who asked to remain anonymous, tell BankInfoSecurity that fraud linked to the Global breach does not suggest a breach of that magnitude. Two of the issuers agree the timeframe of the breach exceeds the Jan. 21, 2012, to Feb. 25, 2012, window originally reported. (See Global Breach: Did It Start in 2011?)
But none of the issuers has seen fraud connected to retail transactions in Las Vegas, and one of the issuing institutions questions USB's assumption that fraudulent transactions traced to a private school café are connected to the Global breach.
"If I only had one merchant location, especially a restaurant, I would first be completely focused on that merchant and would have no reason to look at or believe a processor was compromised," the issuer says. "Not until I see similar trends linking back to several different merchants would I even begin to think of a processor. If they were that good to identify that quick, I would have hoped they could have contained it better than $75,000 in losses."
The issuer says the majority of fraud seen linked to Global has affected credit, and not debit, and most of the fraud activity has been connected to overseas transactions. "Currently, only about 1.4 percent of the total accounts reported to us have seen fraud (or) attempted fraud," the issuer says.
The issuer also says that, based on what's been released so far, fraud linked to the Global breach has been much lower than fraud this executive's bank has experienced from other, sometimes smaller, card breaches. Another issuer says its institution has only had about 7,000 cards impacted by the breach, but it expects the number of potentially exposed cards to grow as the investigation into the Global breach continues.
Information surrounding the Global breach continues to evolve. As more details emerge, the size and timeline of the breach expand.
Earlier this month, just after Visa and MasterCard issued updated advisories connected to the Global breach, one card issuer said the expanded timeframe increased the bank's compromised account total by about 50 percent.
The updated Visa advisory indicated card verification value codes, or CVV2 security codes, used in card-not-present transactions, "may be at risk for some accounts."
"That, in itself, could easily bump the number up substantially," one issuer says.
Global, when it issued its initial statement about the breach, said only Track 2 data was involved. Track 2 data does not include any information about the cardholder and is typically the only data used during an in-person buy.
Global is not offering precise information about the timeline, and spokeswoman Amy Corn on May 14 said the processor had no further comment beyond what has already been posted on its website. That site was last updated May 1.