Topic: Banking

Global Payments: Data breach is contained

Summary: Global Payments, at the center of a Visa and MasterCard security breach, held a call on Monday to say that the data breach suffered has been "contained".

By Zack Whittaker for Between the Lines | April 2, 2012 -- 05:20 GMT (22:20 PDT)

Follow @zackwhittaker

Global Payments, a third-party payments processor to Visa and MasterCard credit and debit cards, reiterated that while customer data may be at risk, the data breach has been "contained to the best of our ability." Overall, 1.5 million accounts may have been affected.

Global Payments chairman and chief executive Paul Garcia said that the "diligent work" may take some time, but will complete the ongoing investigation and identify any changes that need to be implemented.

Garcia said the breach is contained and the company will get its record of compliance back with Visa and MasterCard "as soon as possible." Executives were upbeat about Global Payments' ability to regain its record of compliance with credit card associations.

The company said it doesn't believe any fraudulent charges were made using the stolen numbers.

Separately, Global Payments reported third quarter earnings of $57.9 million, or 73 cents a share, on revenue of $533.5 million, up 17 percent from a year ago. Non-GAAP earnings in the third quarter were 83 cents a share. Wall Street was looking for earnings of 84 cents a share.

Global Payments projected 2012 revenue to be $2.15 billion to $2.2 billion. The company expects non-GAAP earnings of $3.50 a share to $3.58 a share. GAAP earnings were $3.10 a share to $3.18 a share.

Charges related to the breach weren't disclosed because the investigation is ongoing.

Approximately three weeks ago, the breach was discovered. Within hours, law enforcement had been contacted. Garcia described how the company "jumped on this instantly," and that only a "handful of servers" were affected.

Here's what happened and when:

On Friday, it was first reported that Global Payments suffered a security breach, where as many 50,000 cardholders may have had their information exposed.

Global Payments processes card payments between merchants and banks, sitting in the 'middle-ground' directing where payment data should go.

Brian Krebs, who first reported the breach, initially warned that 10 million cards may be compromised. On Sunday, Global Payments revised down Krebs' figure as it confirmed as many as 1.5 million Visa and MasterCard accounts may have been compromised by the security breach.

While card numbers may have been downloaded from its systems, no other personal data --- such as names, addresses, or Social Security numbers --- were accessed.

Both Visa and MasterCard confirmed there was no breach to its own systems.

Visa and MasterCard both sent out non-public alerts to banks to warn of the breach that was thought to have occurred between January 21 and February 25, as Global Payments informed law enforcement andbrought in an independent data security organisation to inspect any damage.

Visa, as a result of the breach, removed Global Payments from its list of approved service providers, but invited it to re-apply once it submits evidence to show its security is "in compliance with Visa's standards."

MasterCard said it had not followed Visa's move, but was awaiting the result of an independent forensic investigation before it made any decision.

Associated Press reported that a technical problem affected the Visa network for 45 minutes on Sunday evening, which resulted in users unable to use their credit and debit cards. Visa confirmed this was not as a result of the recent security breach.

While the reputation of Visa and MasterCard stands in jeopardy, Global Payments lies in ruins. But Jefferies analyst Jason Kupferberg said that the processor can weather the storm.

The processor has $300--400 million in unrestricted cash, which could pay for the damage left by the breach, compared to figures by the 2009 Heartland data breach, in which 130 million accounts ran compromised. Analysts weighed in almost immediately after the breach with their opinions.

Related:

Topics: Banking, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

41 comments

Log in or register to join the discussion

What kind...

..of server software was running?

Tony Burzio
2 April, 2012 07:08

Reply Vote
- Probably
  
  DBase II on CP/M
  
  dev/null
  2 April, 2012 10:51
  
  Reply Vote
  - correction
    
    that's dBase II
    
    sdorman@...
    2 April, 2012 12:56
    
    Reply Vote
AM I affected?

It would be nice to know their merchant list so I know if my account has been compromised!

sumcores
2 April, 2012 08:38

Reply Vote
- Re: Am I affected?
  
  Gotta agree. I've got a Visa card, so I called my bank on Saturday to ask if they're affected, and they said they wouldn't know anything probably until next week. That's a bit ridiculous...
  
  masonwheeler
  2 April, 2012 10:27
  
  Reply Vote
Company should reimburse any card that were use to make Fraudulent Charges

The company should be made to/forced to reimburse any and all fraudelent charges as a result of this breech. So that it would cause them to use better security systems.

pjones
2 April, 2012 08:41

Reply Vote
Encryption, anyone?

Is it just me, or isn't all cc data supposed to be encrypted? As in all the time? Especially in a live server environment? By LAW? Oopsy...

gteksean
2 April, 2012 08:52

Reply Vote
- It's not a law
  
  There is an agreement between the card issuers and the processors. But it is not law. Nothing I have seen so far indicated that the processor did anything wrong, although I'm sure they did and that will come out in the way.
  The problem really lies with the card issuers. There is no reason a merchant or processor should ever have to store the card data. All card data should be sent in an encrypted packet which the card issuer confirms and sends a token back to the processor and merchant. That token is good for only that transaction making useless to anyone else. The reason the card issuers don't employ this proceeds is simply because they want all of the security responsibility to fall on the processors and merchants.
  
  jhuddle
  2 April, 2012 13:29
  
  Reply Vote
  - And the users
    
    Don't forget the card user will also bear responsibility. Look at your "EULA" which is almost impossible to read much less understand. Basically, I think it says you, the user are responsible even if the issuer makes a mistake or error. Just try to get out of that. Don't know if "chip" cards are used in the US much but in Canada, all issuers now use chips which require the user to enter a PIN. Why? That way if it is "stolen" the user will bear the blame unless they can somehow prove they are not responsible. I know, my card was breached a few weeks ago and only because it was used for iTunes purchase at an Apple Store in Beijing was it automatically security flagged. The fake user also had my telephone number and security code. Although I didn't have to pay the few hundred dollar charges, I did rebuild my OS and purchase a new sdd C: drive just in case. I run ESET Internet Security as well as several pro antimalware programs. So who was breached? SourceForge, PayPal, Millenia Corp, LavaSoft, or others recommended by this site?
    
    plandok@...
    2 April, 2012 18:41
    
    Reply Vote
- Encryption, anyone?
  
  Information moving from one server to another is encrypted. However, if someone gained access to a server by hacking a login name and password, then the information is not encrypted. Just like TJ Maxx had an issue some time ago, it's the strength of the network security.
  
  Linux411.com
  2 April, 2012 15:06
  
  Reply Vote
Details of the breach should be public as well.

Publishing how they were breached would help overall security and other card processors may learn from it. Also, it makes a big difference to me whether the breach was due to a new exploit or if it was due to them not following "best practice" security policies. If their security was not up to par, they should not be allowed to go back to processing card payments until they make improvements.

AMS-Ray
2 April, 2012 08:57

Reply Vote
How would they know no fraudulent charges have been made?

Really, Global can say that they beleive no fraudulent charges have been made? Well I guess if they aren't looking they could say whatever they want to believe. They have no proof.
Yes companies that handle credit card information should be held responsible to pay for all the expenses incurred by others to clean this up. My wife works at a bank and they have sent out 2,300 letters to card holders warning that their card information may have been compromised. Who pays for that? Should be Global footing the bill for the letters, postage and whatever it costs to replace all those cards.

voltman3
2 April, 2012 08:57

Reply Vote
- They don't - but there were charges...
  
  I should know - I found 8 charges on my CC, but they didn't show up until mid-March. Just been on the phone to Visa about it today. Now have to have a new CC (no cost to me as such), but that also means a good deal of emailing & phoning 2 change all my auto debits for insurance, power etc. There need to be some heavy-duty penalties in place for digital theft, since the flow-on effect is very wide-ranging and disruptive, not to mention expensive. A few high-profile cases where the perps (prob incl the odd foreign Asian govt who shall remain nameless...) are bankrupted and jailed for 10-15 years in some God-forsaken jail in South America would get the message across. But I guess that won't happen since all the bleeding-heart libs aren't into letting people suffer the consequences for their actions... :-p
  
  IslandBoy_77
  2 April, 2012 16:38
  
  Reply Vote
  - Don't be obtuse!
    
    You take a story about a breach of a Credit Card Company's data and turn it into a Liberal vs. Conservative rant! Pllllease, get a real life! No "bleeding heart lib" wants to stop the authorities from finding and prosecuting those responsible, as well as identifying and punishing those that failed to prevent it. That is just stupid!
    
    michaellashinsky@...
    12 April, 2012 12:44
    
    Reply Vote
"Contained" is the wrong word.

It is like saying that "the Titanic's rate of sinking has dramatically slowed", simply because it hit the bottom of the Atlantic ocean. The problem is just getting started!

According to a piece on CNN, the problem is not your credit card, which can be cancelled. It is that what was stolen is enough to create new, fake identities like you. Could the police show up at your home with an arrest warrant for some crime committed by someone with your fake ID? And a over a million others like you.

dougs666
2 April, 2012 09:13

Reply Vote
Clueless

Hmm, they state 50,000 cardholders' info was compromised, then they state 10 million cards were compromised, later downgraded to 1.5 million cards.

Unless they expect us to believe each of the 50,000 cardholders had an average of 30 cards each, then they obviously have no clue how big the exposure was. That makes for a warm fuzzy feeling, doesn't it?

brichter
2 April, 2012 09:13

Reply Vote
Nothing can be done.

Can't blame them. Those who do are idiots because even if they had the expertise to build a fool-proof system, There will be someone else somewhere who is determined to break it.

Having said that, it would be in their best interests to reimburse any illegitimate transactions.

arseshan
2 April, 2012 09:18

Reply Vote
- Wanna bet?
  
  I can certainly blame them, as they did not prevent this, and it is their job to do so. I don't care if there are fifty million determined hackers out there. If you can't prevent them from succeeding, you are a complete and utter failure, and should be fired for incompetence. This story is once again a gigantic coverup by the malfeasants, none of whom will be punished for their arrogance and stupidity, just like all the times before.
  
  thetwonkey
  2 April, 2012 09:27
  
  Reply Vote
  - EH ?
    
    We all have a right to be angry but I think you have your expectations set way too high.
    If you sit down and list all of the organisations, including the banks, software and hardware manufacturers you can only come to the conclusion that it will never be 100% secure.
    Why ? Because someone somewhere has to know the passwords, security setup and if they decide to leak the information - nothing can be done about it.
    The internet is NOT 100% safe, it never will be because humans are involved.
    
    MaxDaniels
    2 April, 2012 10:04
    
    Reply Vote
  - Wow
    
    Sounds like you need to step up the the plate and take over their security. I'm sure you know how to make a 100% unhackable system.
    
    dev/null
    2 April, 2012 10:54
    
    Reply Vote