Global to Provide New Breach Details
Processor to Offer Investigation Update July 26Global Payments Inc., the Atlanta-based payments processor that on April 2 revealed its systems had been breached, this week will provide an update about its investigation and the hack that exposed details about more than 1.5 million credit and debit cards.
See Also: Insider Insights for the PCI DSS 4.0 Transition
During a July 26 investors' call set for 5 p.m. EDT, the United States' seventh-largest payments processor plans to release additional information about the potential financial impact of the breach. It also plans to offer an update about its strides to regain compliance with the Payment Card Industry Data Security Standard.
The company says it has had made "substantial progress" in its investigation and remediation efforts, and it maintains that only non-sensitive Track 2 card data, which does not include names, addresses or Social Security numbers, was exposed.
Breach Investigation: What We Know
The Global breach got attention in late March, after security blogger Brian Krebs broke news of the breach. Global quickly responded, acknowledging the breach during its early April investors' call, but clarifying that the card numbers suspected of being exported by hackers were confined to North America and limited to 1.5 million.
Global CEO Paul Garcia also said the company deemed the breach to be "manageable," and reiterated that the incident was discovered internally, not by an outside party.
"We found this, and we reported it within hours," Garcia said during the April call.
Global also established a microsite dedicated to the updates about incident. The latest update from Global appeared on that site June 12, at which time the company said it had expanded the number of potentially exposed cards, though it did not say by how many. Global referred to the expansion as a precautionary measure that would allow the major card brands to proactively monitor card activity for potential fraud.
In that June update, Global also noted that some personal information may have been exposed during the breach.
"The company's ongoing investigation recently revealed potential unauthorized access to servers containing personal information collected from a subset of merchant applicants," the update stated. "It is unclear whether the intruders looked at or took any personal information from the company's systems."
But Amy Corn, a Global spokeswoman, said that update referred to confidential information Global collects for its underwriting process, and did not involve individual consumer accounts.
"It is unclear whether the criminals ever even looked at this information, much less took it from our systems," Garcia said during the June 12 investors' call. "It is important to note that the portion of this intrusion related to cardholder information that we announced in April is different from the potential access to personal information we announced yesterday."
Breach Advisories
Based on information provided by three separate card-issuing institutions to BankInfoSecurity, the first advisories issued by Visa and MasterCard limited the Global breach to occurring sometime between Jan. 21, 2012, and Feb. 25, 2012. But affected issuers at the time suggested the breach likely occurred sometime in 2011.
In April, Visa issued an updated advisory that confirmed the breach likely occurred last year. In the advisory, Visa warned issuers to monitor transactions dating back to June 7, 2011 (see Global Breach: Did It Start in 2011?).
News reports posted by Krebs and the Wall Street Journal have said the breach may have exposed as many as 7 million accounts, but the issuers who communicated with BankInfoSecurity say they doubt that many cards were affected.
One issuer also notes that the majority of fraud linked to Global has so far affected only credit cards, and most of the identified fraudulent activity has been connected to overseas transactions.
In early May, just after Visa and MasterCard issued another round of updated advisories connected to Global, another executive at a different card issuer said the expanded timeframe increased the bank's compromised account total by about 50 percent.
That executive also says the May advisory indicated information beyond Track 2 data may have been exposed. Card verification value codes, or CVV2 security codes, which are used in card-not-present transactions, "may be at risk for some accounts," the advisory noted.
"That, in itself, could easily bump the number up substantially," the executive said.