The data breach at Atlanta-based credit and debit card processor Global Payments just keeps getting bigger. Earlier this month, I reported that Visa and MasterCard were alerting banks that the breach extended back to June 2011. Now it appears the breach jeopardized cards processed by Global as far back as January 2011.
The latest disclosure, detailed in a story at BankInfoSecurity.com, now aligns with the timeline outlined by anonymous hackers who reached out to me after I broke the story on this breach back at the end of March. Global has disclosed relatively little about the breach, and has sought to downplay the severity of it. Initial reports suggested that more than 10 million card accounts were compromised in the breach, yet Global insists fewer than 1.5 million were taken. Recent reports by The Wall Street Journal put that figure closer to 7 million stolen card accounts.
Shortly after the breach, Global executives were complaining about “rumor and innuendo” in press reports about the incident. I borrowed that quote for the title of a follow-up blog post, which included claims from a hacker who told me he was reaching out because he felt Global was hiding the true extent of the breach. He told me that he was part of a group that had been inside of Global since just after the new year in 2011. From that story:
The hacker said the company’s network was under full criminal control from that time until March 26, 2012. “The data and quantities that was gathered [was] much more than they writed [sic]. They finished End2End encryption, but E2E not a full solution; it only defend [sic] from outside threats.” He went on to claim that hackers had been capturing data from the company’s network for the past 13 months — collecting the data monthly — gathering data on a total of 24 million unique transactions before they were shut out.
Global has refused to comment further on the incident, referring people to a Web site with a series of Q&As for various parties potentially impacted by the breach. I guess only time will tell whether the hackers were right about the number of compromised transactions as well.
Great work Brian. Keep up the heat on this outfit. I remember when you first broke this they were supposed to make a public statement that they downplayed it and instead focused on their earnings. Their earnings should be nonexistent, they should be put out of business.
Please answer this, if they do not currently meet Visa’s standards why are they allowed to process their truncations?
If my driver’s or professional license is revoked, I can not drive or practice in my profession. Yet these middle men, who we as consumers have no idea if they are processing the transaction we are just making, make our lives miserable to appease Wall Street.
I would avoid merchants that use Global, but how do you know who they are. There needs to be more transparency in this business.
Thank you so much for exposing this.
They have said as much as they are allowed to say by the investigating authorities. This is a fact you do not seem to be aware of.
Sorry Gary, the invstigating authorities are not requiring them to say that 1.5 million cards were stolen if in fact the true number was closer to 7 or 10 million. It would be perfectly understandable if they said “We don’t know the full extent of the breach, we’re looking into it.” But if they’re deliberately lowballing the number, then need to be held responsible for that.
Sorry Bruce but you do not know what authorities are telling them unless you are one of them or a Global executive. It is similar to criminal matter where police withhold information for good reason. Perhaps you did not hear the discussion in the earnings conference call and are just speculating without knowing the facts.
Here is just one quote from the Forbes article –
“Garcia said because of the federal investigation he “could not be terribly specific” about the window.”
You can pertinent others. I will not be doing your research for you but you are doing this forum a disservice with your speculations and hyperbole.
If there is no gag order by a court (which should be a matter of public record) then there is no obligation to withhold information.
A federal investigation is not a court order.
Seems to me just another excuse.
Do not cooperate with federal authorities at your peril.
Global Payments should be ostracized by merchants. Their lack of forthrightness is atrocious. All merchants should boycott this company.
There are much better ways to handle the severity of this situation. Global does not seem to be able or willing to handle the PR side of things. When does integrity count?
Has there been a drop in the price of stolen credit card numbers since January 2011? Was there an increase in the price in March 2012? Was there an increase when the Heartland breach was discovered?
The cost of stolen credit card numbers always seems to be inordinately low, especially compared to less useful items that ought to be easier to steal. If they were mostly being stolen one card at a time, if the thieves selling them needed mules to collect them at points of sale, I would suspect we’d be getting spam trying to recruit restaurant servers who want some extra income, just as we get work at home spam for money mules and reshipping mules. I’ve never seen such an email.
When there has been such a massive number of cards compromised in one breach, it seems like we should see the price of those card numbers reflect the fact that the marketplace has suddenly been flooded. Otherwise, I think we have to conclude there are other similar large breaches going on concurrently. And we probably have to conclude they are continuing to go on right now.
Someone has to decide that *every* stolen card number on the black market has a source, and that the same source could be hemorrhaging data like this breach did. People are way too quick to dismiss victims’ whose numbers are compromised by saying they must have been careless, they must have been surfing for porn, they must have trojans on their computers, etc. There are too many reliable and cautious people who repeatedly have to change their account IDs for that to be sufficient explanation.
Well, this just happened to me two days ago. Bank of America called to inform me that someone had attempted to use my credit card number at an online perfume store. The transaction was flagged because they used both the wrong expiration date and card security code.
After I told them it was clearly fraudulent activity, BofA closed that account number and issued new cards. But I was charged $15 to have the cards sent via FedEx because the bank’s default (free) option could take up to 7 days.
They should have charged that to Global Payments. I’m sure your plenty miffed at that!
Unfortunately, I don’t think there’s any way to conclusively tie what happened with my credit card number to the Global Payments breach.
However, after my wife and I made the snap decision to pay the $15 FedEx delivery fee, I started wondering why we were be inconvenienced and charged for what was essentially BofA’s “risk” and “liability” (given the bank’s policy of zero dollar liability for fraudulent Online Banking transactions).
Moreover, by getting new cards out as quickly as possible to customers with high card utilization (we use our cards extensively for business), the bank would most likely recover a significant portion (if not all) of the FedEx delivery charge through additional merchant transaction fees.
I completely agree; I know I don’t hesitate to lodge a complaint with the Better Business Bureau if I feel I can dispute the EULA of a particular financial institution. I was wronged by Bank America quite a few years back and didn’t bother to check to find out they had actually broken a Federal SEC rule and could have been substantially fined for it!
Complaining to your state’s attorney general may shed light on any potential rule violations here. If you are outside the US, I digress.
Besides many other things they should do, Global Payments execs need to take a course in damage control.
Do not try to hide the problem, or try to make it look smaller than it is. Do not try to belittle or smear those who address your problem. And so on.
Do fully and speedily tell the public all you know, promise to update with any new information, and tell what you are doling about the problem.
True. It’s amazing how often we see an incident where the fall out from the cover-up is worse than from the incident. I’m thinking in particular of Diginotar. You’d think people would learn…
Here’s why I don’t understand. Even with small merchants, the card brands are pretty quick to detect CPPs (common point of purchase) with fraudulent transactions. Doesn’t this mean that the card brands would have notified Global in 2011? And why would it take a year+ to find and stop the hackers if you (and the card brands) knew something was not right. Something still does not add up to me here.
Here’s something else … Don’t you think that the card brands are somewhat to blame here too? Sure, Global is the main culprit, but the card brands should be protecting themselves. To have (as the anonymous hacker quoted, and what I find to be the most likely case, 24 MILLION UNIQUE CARDS stolen, and well over a year before anything is done about it tells me there’s more to blame here than just Global. While I think PCI is a good idea and shows you are taking initiatives, it clearly is not a working solution.
I think card brands need to step up their technology. Detect CPPs faster. Detect abnormalities in charging (geographical, not matching patterns, etc) and nip it at the bud. There are some amazing technologies out there, and it seems the card brands are just too far behind in this. Personally, I would rather have the annoyance of sometimes having my card decline and call me on my registered phone for approval than having to see these huge breaches happen. I feel the hackers will always be one step ahead of you. If there is a will, there is a way, no matter how “tight” you think you are. The best offense is a good defense!
Time for a change!
>>>I would rather have the annoyance of sometimes having my card decline and call me on my registered phone for approval than having to see these huge breaches happen.
This is where usually card issuers (banks) step-in, not card associations.
my 2 cents:
>>>
Even with small merchants, the card brands are pretty quick to detect CPPs (common point of purchase) with fraudulent transactions.
>>>
in fact, with 1 POS (or merchant) it is much more straightforward and visible to find CPP, compared to acquirer/processor
>>>
And why would it take a year+ to find and stop the hackers if you (and the card brands) knew something was not right. Something still does not add up to me here.
>>>
probably because of phased approach: hackers first gather data (for long period of time), then wait couple days (better months) and just later misuse data gathered
I suspect it takes quite awhile to sell all those compromised credit card #s. The criminal market was already awash with them.
Interesting point. I wasn’t aware of the phased approach. Appreciate the feedback.
Isn’t it amazing that a small vendor who has an online store can be held liable for false purchases, such that they have to pay for the charge backs. But the people who actually process the transactions don’t have to spend a dime when they leak the information to actually make false cards? Sure, they’ll face a few fines. But no effort to “Make good and whole” to the people they’ve put out.
Banks must be stop most these cards now. I have not been getting very good cards lately, most have been decline. I use pretty good bin also, so it has to be bank stopping me fraud transactions. I thank you Brian for steal all these cards for us bro.
Sounds like Brian made your eye balls dizzy “PAL” , why don’t you get a working mans job . I like to pay for a one way flight here to the U.S.A. and have a long talk with you then you can pay for your own flight back if the “G” don’t hook you up to a nice cold bar hotel room .
Heh! Heh! Ditto TF!! 😀
Bottom line time –
Some programmer makes a mistake in a line of code and there is a breach every 10 trillion transactions and the processor takes a hit. There is no such thing as bug free computer program of any complexity. All of that and the real blame lies with the issuers anyway.
I am in the security and hosting industry, and I agree that no system is fool proof. No matter how secure you think you are, the hackers are always trying to get one step ahead of you. Global was “PCI Complaint” (for whatever that is really worth (nothing!) and hopefully was doing their best to prevent these things. Where they went wrong was apparently trying to cover it up and not being forthright about it.
I think that the hacks used in these breaches should be made public, so others can learn from it and prevent it happening to them. Do they ever disclose how they goet hacked after the investigation is over?
It’s hard to stay that PCI is worth nothing unless it can be shown that the breach couldn’t have been picked up by any of the ongoing requirements and that those requirements were being performed properly at the time of the breach, for example; checking for critical file changes, use of privileged accounts, checking access to cardholder data or encryption keys etc. If you assume that Global was completing all requirements (they probably had an on-site PCI assessment during the breach, not to mention pen testing) and the breach still wasn’t detected then it was probably an ATP/RAT attack (FIM should have picked this up if they were looking though).
The problem with PCI is that it provides the minimum security baseline for low volume merchants and high volume processers alike. If your company can lose over 20 million card numbers it’s a high value target so you’ll need a few other controls over and above PCI, such as the ability to detect and block the hacker’s remote access tools phoning home from your network with truckloads of card numbers. For Global to say they were PCI compliant at the time of the breach is like them saying ‘we were doing the bare minimum that someone else who doesn’t know our business told us to’.
Your controls have to be commensurate with your level of risk, PCI doesn’t change this.
10 million, 1.5 million, 7 million?
Why is counting so difficult in the computer age? Regardless, there is no sugar-coating that there were a millions more than there should’ve been.