Global Payments Update: What's It Mean?Fraud Experts Analyze Latest Info on Processor Breach
Global Payments Inc., the breached payments processor, now says hackers may have gained access to servers containing personal information collected from a subset of merchant applicants.
See Also: The Global State of Online Digital Trust
Global says the exposure is limited to information about the merchants, but industry experts question whether consumer information also was leaked.
Gartner analyst Avivah Litan, one of the first to comment on the breach when it became public in early April, suspects the worst.
"[Global Payments] is just saying what left the network, rather than revealing the potential of what could have been exposed, which is how it's been handled in other breaches, like TJX," she says.
John Buzzard, who monitors card fraud for FICO's Card Alert Service, says personally identifiable information could relate to various pieces of information that merchants collected from their customers that could result in account takeovers, such as information that would help fraudsters overcome challenge questions.
"This is kind of unfolding like a really stinky flower," Buzzard says.
Global Payments Responds
The Global Payments breach first came to light through news reports at the end of March. On April 2, Global acknowledged the breach, which it said was confined to North America and involved fewer than 1.5 million payment cards. Global continues to support the notion that only Track 2 card data was exposed. Cardholder names, addresses and Social Security numbers were not accessed by criminals during the breach, the company says.
Initial advisories from Visa and MasterCard suggested the breach occurred sometime between Jan. 21, 2012, and Feb. 25, 2012. But affected card issuers suggest the breach likely stems from a breach that dates back to 2011 or earlier. Visa issued an updated alert on April 26, noting that card fraud linked to the breach could date back to transactions conducted June 7, 2011 (see Global Breach: Did It Start in 2011?).
Some sources also have suggested the breach may have exposed as many as 7 million accounts - far more than the 1.5 million Global has reported (see Is Global's Breach Growing? ).
Since the breach, Global Payments has disseminated information mainly through a microsite dedicated to the incident. But in a June 13 response to BankInfoSecurity queries, Global Payments spokesperson Amy Corn said the personal information that may have been exposed refers to confidential information Global collects for its underwriting process.
"The company has, however, provided a larger quantity of card numbers to the industry brands to enable them to proactively monitor cardholder activity," she says.
Corn adds that during the prepared statements at the beginning of the June 12 conference call, Global CEO Paul Garcia further clarified the breach by stating: "We talk about the number of cards exported because we think it's the most balanced and objective way to communicate the potential threat to cardholders. That being said, we have provided information to our industry partners regarding all of the cards processed through the affected systems going back a little more than a year from our discovery of the intrusion. This allows networks and issuers to do what they think is appropriate to proactively alert cardholders and mitigate fraud. Of course the number of cards we provided exceeds 1.5 million. The process is designed to cast a wide net to protect cardholders and quite frankly we're glad it does."
During the June 12 investors' call, Garcia highlighted details about the additional information.
"It is unclear whether the criminals ever even looked at this information, much less took it from our systems," Garcia said. "It is important to note that the portion of this intrusion related to cardholder information that we announced in April is different from the potential access to personal information we announced yesterday."
Garcia also clarified how Global defines what a merchant applicant is: an individual, oftentimes a merchant owner or operator, that provides personal information that is used by Global in its underwriting process. "This is a database of individuals who have applied to process transactions with us," he said.
Card Issuers React
Executives at three card-issuing institutions, who asked not to be identified, say they have received additional advisories from Visa, but nothing from MasterCard, about more card numbers that may have been affected by the Global breach. Two of those executives, however, say they do not believe the updated advisories are in any way connected to a compromise of PII.
"The only update we got was from Visa, which added relatively few card numbers between Dec. 5, 2011, and March 27, 2012," one of the executives says. "No communication was issued from Visa or MasterCard related to the personal info. My take on the personal info is that it was related to merchants applying to Global and/or acquirers for a merchant relationship."
The executive says acquirers often capture information related to merchant owners, which is likely the kind of personal information to which Global refers in its update.
The other issuing executive agrees, saying some of Global's online merchants may have had additional information they were storing that got sent to Global, thus resulting in the exposure of some personal information about customers that shopped those sites. "But it is currently our position that Global and those merchants will be the required entities to do any customer notification, as part of the various state breach laws," the executive says.
The third executive says that while fraud losses, so far, linked to the Global breach have been minimal, affected accounts are being watched very closely. "This breach is definitely in the top three of the ones we are actively monitoring and working, based on the potential exposure and number of cards in play," the executive says.
Visa spokeswoman Sandra Chu on June 13 said Global's breach update did not involve card data. "What they issued yesterday was something separate, and not part of the cardholder data breach," she says.
Visa and MasterCard both say Global has not been reinstated to their respective lists of processors compliant with the Payment Card Industry Data Security Standard. Discover and American Express do not publicly issue lists for PCI compliance, but AmEx spokeswoman Marina Hoffmann Norville says AmEx is working with Global to ensure the processor meets mandated security requirements.
July Update Expected
Global Payments says that by July 26, the date of its year-end earnings call, it expects to publish updates about its investigation into the breach, as well as its efforts to regain good PCI standing with the card networks. The company reiterates that it believes the breach is a contained incident.
"We are committed to fully resolve any issues arising from this matter, and we, of course, continue to provide uninterrupted transaction processing for our customers worldwide," Garcia said.
But Gartner's Litan doubts additional details coming from Global will truly shed light on the breach and its impact.
"The only way we are going to hear the whole story is if law enforcement arrests the bad guys who did this," she says. "Domestic and international law enforcement is working very hard on this case; they want to find these people."