Visa Drops Support for Breached Processor, Acknowledges Weekend Outage
Global Payments, the credit and debit card processor that disclosed a breach of its systems late Friday, said in a statement Sunday that the incident involved at least 1.5 million accounts. The news comes hours ahead of a planned conference call with investors, and after Visa said it had pulled its seal of approval for the company.
In a press release issued 9:30 p.m. ET Sunday, Atlanta based Global Payments Inc. said it believes “the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported…Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained. ”
It remains unclear whether there are additional accounts beyond these 1.5 million that were exposed by the breach; the company’s statement seems to be focusing on the number of cards it can confirm that thieves offloaded from its systems.
It’s also unclear how Global Payments’ timeline of the incident meshes with that of MasterCard and Visa. In an alert sent to card-issuing banks that was first reported early Friday by KrebsOnSecurity.com, the card associations said the window of vulnerability for the breached processor (at that time unnamed) was between Jan. 21, 2012 and Feb. 25, 2012. The alert also said that full Track 1 and Track 2 data was exposed, meaning thieves could use the stolen information to counterfeit new cards.
Yet, in a statement Friday, Global Payments said its own security systems identified and self-reported the breach, which it said was detected in early March 2012: “It is reassuring that our security processes detected an intrusion,” the company said.
In its follow-up statement Sunday, the company mentioned only that “Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals.” (For more info on the data contained on Track 1 and Track 2, see this explainer).
In any event, The Wall Street Journal is reporting that Visa took the step over the weekend of distancing itself from Global Payments, by removing the company from its list of those it considers to be compliant service providers. That list is huge, and is available here (PDF).
At the same time, a technical glitch affecting the Visa network barred some people around the United States from using their credit and debit cards for about 45 minutes on Sunday. Visa told The Associated Press that the outage was caused by an update it made to its system, but that the problem was unrelated to the Global Payments breach.
The apparent discrepancy over the timeline of the Global Payments breach and the means by which it was discovered and reported leaves several unanswered questions: Was the initial alert by Visa and MasterCard that prompted this story related to a separate breach? If so, was Global Payments involved?
Stay tuned; Global Payments holds a public conference call at 8:00 a.m. ET Monday to discuss the incident, and to hopefully shed more light on these questions.