May 1, 2012

A hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week. The disclosures offer the first additional details about the length of the breach since Global Payments acknowledged the incident on March 30, 2012.

Visa and MasterCard send periodic alerts to card-issuing banks about cards that may need to be re-issued following a security breach at a processor or merchant. Indeed, it was two such alerts — issued within a day of each other in the final week of March — which prompted my reporting that ultimately exposed the incident. Since those initial alerts, Visa and MasterCard have issued at least seven updates, warning of additional compromised cards and pushing the window of vulnerability at Global Payments back further each time.

Initially, MasterCard and Visa warned that hackers may have had access to card numbers handled by the processor between Jan. 21, 2012 and Feb. 25, 2012. Subsequent alerts sent to banks have pushed that exposure window back to January, December, and then August. In an alert sent in the last few days, the card associations warned issuers of even more compromised cards, saying the breach extended back at least eight months, to June 2011.

Security experts say it is common for the tally of compromised cards to increase as forensic investigators gain a better grasp on the extent of a security breach. But so far, Global Payments has offered few details about the incident beyond repeating that less than 1.5 million card numbers may have been stolen from its systems.

In a letter (PDF) responding to questions from  Senator Robert P. Casey (D-Pa.), Global Payments CEO Paul Garcia maintained that the company discovered the breach internally and on its own on March 8, and that it began alerting the card associations the following day. Garcia said their initial disclosure was “forced by wild speculation in the press regarding this matter and our company.”

Global Payments spokeswoman Amy Korn declined to comment for this story, but said the company would be releasing additional information about the incident in a statement on its Web site, 2012infosecurityupdate.com, later this evening.

Update, May 4, 12:37 p.m. ET: The Wall Street Journal published a story today citing unidentified sources as saying that at least 7 million card accounts are now considered potentially vulnerable because of this breach.


10 thoughts on “Global Payments Breach Window Expands

  1. andy1

    I guess the skeptics were right (looking at the comments from the first report you posted.) This isn’t just a minor breach.

    1. emv x man

      Yep, I took a comment clobbering for saying so originally and/or people miss the importance of the word ‘if’.

  2. AlphaCentauri

    “Less than 1.5 million card numbers MAY have been stolen” is a safely noncommittal statement. Of course, “More than 10 million card numbers MAY have been stolen” is equally accurate. Whining about “wild speculations in the press” is not very convincing if they don’t know enough about what happened to have any firm numbers themselves.

    1. uzzi

      Additionally March 8 to March 30 could have been enough time to establish professional public relations and disaster recovery teams? oO

  3. techvet

    Sounds like they should be joining T.J. Maxx in the Stonewalling & Obfuscation Hall of Fame for poor security and total lack of concern for anything or anyone else other than its own hide once the problem comes to light. Forced by “wild speculation”, eh? Keep up the good work, Brian!

    1. Steve

      What do you mean, “Poor Security”? They were PCI compliant!

      Brings a tear to the eye in more ways than one. 😉

  4. PaulBunyanAZ

    Look/Listen/Understand …

    Banks are robbed, muggings happen, white collar crimes, violent crimes take place everyday … maybe you’ve heard of Bernie Madoff. Maybe most people haven’t noticed, but the boogy-man does exist … there really are bad guys out there taking advantage people and corporations.

    These processors and financial institutions are pouring tons of money and professional talent into protecting their environments. It is always a matter of attempting to stay one step ahead of the bad guys … some times no matter how much you try, the bad guy wins.

    If the bad guy wants to get in … he’ll find a way to get in … just try stopping the burglar from getting into your house. No matter what you do … locks, alarms, video, dogs, whatever … they get in and you pay the price, and are left with a mess.

    At some point in time, we’ve got to stop persecuting the good guys … who are legitimately attempting to make a good faith effort. Yeah, there will be some knuckle-head (just like bad guys, there are knuckle-heads) out there that doesn’t make a legit effort, but for the majority everybody is making the legit effort.

    1. george

      I totally disagree with you suggesting that this company made a good faith effort in securing OUR data. Also the analogy with the house which is never burglar-proof is completely out of place.
      We are not speaking about their own “house” – their own property, we are speaking about “maybe less than 1.5 million” identities of innocent people. If a neighbor asks me to watch over his property while he’s on vacation I will do so even more diligently than my own property (and I hope he would do the same for me).
      The fact that the hackers were so long inside and the way communication is/was handled is NOT a good faith effort – the fact that you’re saying otherwise makes me suspect you’ve been hired to do damage control. If you want to see companies making a good faith effort, look at Amazon, Visa, Mastercard (with the exception of Secure Code, which is less than I was expecting)

  5. TDJUK

    From the outset, GPN’s priority has been the protection of its share price and not the sharing information with security community. Speculation will continue, in the absence of official information, on the nature of the compromise and how many cards were at risk. The underlying concern is that other organisations could, unknowingly, be vulnerable to a similar attack. Organisations cannot afford to be complacent because they are PCI-approved. They may have been breached already .

  6. Canary

    Why isn’t anyone looking at Trustwave? They were the organization performing PCI assessments and certification for GP. How many of their clients are really PCI compliant? How many more Global Payments are we waiting for?

Comments are closed.