Over 1.5 million Visa, MasterCard credit card numbers stolen?

Over 1.5 million Visa, MasterCard credit card numbers stolen?

Summary: U.S.-based credit card processor company Global Payments is about to announce more details about the security breach that recently saw millions of credit card numbers stolen. It doesn't look good.


Global Payments, the U.S.-based credit card processor company that experienced a security breach affecting plastic issued from Visa and MasterCard, is about to release more information about the attack. Last time, the firm said the breached portion of its processing system was confined to North America and that less than 1.5 million credit card numbers were stolen. The timeframe during which Global Payments was hacked, however, has significantly grown. In other words, the hack could have been much worse.

Krebs on Security reports (emphasis mine):

A hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week. The disclosures offer the first additional details about the length of the breach since Global Payments acknowledged the incident on March 30, 2012.

Visa and MasterCard send periodic alerts to card-issuing banks about cards that may need to be re-issued following a security breach at a processor or merchant. Indeed, it was two such alerts — issued within a day of each other in the final week of March — which prompted my reporting that ultimately exposed the incident. Since those initial alerts, Visa and MasterCard have issued at least seven updates, warning of additional compromised cards and pushing the window of vulnerability at Global Payments back further each time.

News broke late in March that Visa and MasterCard had warned banks of a major potential breach at a U.S.-based credit card processor. Both Visa and MasterCard then confirmed the breach, although the two also emphasized their own security systems were not compromised. Soon after, Global Payments confirmed it had identified unauthorized access into its processing system.

Previous reports suggested that full Track 1 and Track 2 data was taken, which means perpetrators got enough to counterfeit new cards. Global Payments' investigation to date has revealed that Track 2 card data may have been stolen, but the company is still not sure. On the other hand, Global Payment was confident enough to say that cardholder names, addresses, and social security numbers were not obtained by the criminals.

Estimates ranged from 50,000 to 10 million credit cards, but Global Payments reduced that to just 15 percent of the upper bound. Is that number about to jump?

The origin of the hack is still unknown. I will update you when Global Payments issues its statement (reportedly later today).

Update at 7:00 PM PST - Global Payments is keeping the estimate the same. The investigation is ongoing. Here is the FAQ:

Why have card brands removed you from their list of PCI Compliant Service Providers? Based on our announcement of unauthorized activity in a limited segment of our North American processing system, some card brands removed us from their list of PCI compliant service providers. They have requested we revalidate our PCI status, which we will do following the current investigation. We anticipate that we will be re-instated to those lists at the conclusion of the re-validation and any required remediation.

Can you continue to process transactions? Yes. Global Payments will continue to process transactions for all card brands with the same high level of service our customers have come to expect.

Were fraud alerts issued on more cards than 1.5 million card numbers you reported? Yes. In any matter of this nature, the card brands cast a wide net to protect consumers, and we supply as much information as possible to assist over the course of the investigation. We continue to believe that less than 1.5 million card numbers may have been exported.

Do you expect to release additional card numbers? The company has delivered, and may continue to deliver, card numbers to the card brands and other third parties to help thwart criminals and combat fraud.

What does "exported" mean? Taken or stolen from our network.

Could there be broader time periods in question? We have not publicly communicated any time periods and there is a full investigation underway. It would be premature and inappropriate for us to speak to or confirm any timeframes until the investigation is complete. We identified and self-reported this incident in early March, and we will continue to provide information to the appropriate parties as revealed by the investigation.

See also:

Topics: Security, Banking, Mobility

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I bet Global Payments was protected by an anti-virus program!

    I'm sorry, Emil. That was so bad of me. But with all the recent talk about who's OS system is the most or least secured or who's anti-virus program protects the best, I just couldn't resist the temptation.

    This one example alone should point out the fact that ANY computer system can be hacked! Any system! The only way to secure our global internet connections is to have international cyber security teams ready to work with law enforcement officials to take down these criminals as soon as possible.

    This type of counter-action, of course, raises "Big Brother" issues but I can't see any other effective means to combat this type of crime.
    • IDS/IPS is what was required or what failed.

      AV isn't meant to protect against hacks.
    • You are dreaming, right?

      The practicalities of what you are suggesting will prevent its implementation, and even if it does happen, it will be rendered impotent at warp speed. Anything that smacks of "Big Brother" will generate fierce opposition by the few remaining people who can actually think, but perhaps it will be enough to thwart that.
    • RE: effective means to combat this type of crime

      The [b]effective[/b] method of combating this type of crime is to:

      [b]summarily execute criminals [u]upon conviction[/u][/b].
      • No need to be that harsh...

        Just cut off every other finger so they can't type effectively anymore...
      • Won't work

        @Zorched - I worked with a guy that typed with one finger on each hand. I think you'd have to take them all.
      • Seriously, though

        How about if we just put them in jail! When fraud occurs, it's the merchant that pays. The banks have no incentive to go after these miscreants, and they don't. It's not just worth it to their bottom line. Add to that the fact that much of the stolen wealth lands outside the U.S. in places where the police are just as guilty as the criminals!

        This is not so much an IT matter as it is a law enforcement issue.
      • Execute the criminals - I agree - I don't want to pay to house scumbags

        I totally agree with your call to execute the criminals - I say execute the violent or demented criminals first and for those that commit huge crimes (like this) execute them second and drug offenses third and then petty offenses give them three strikes then plant the scum! The money we save by not having to house, feed, clothe and take care of their medical and dental needs will save a fortune which can then be put to better use.
      • RE: effective means to combat this type of crime is to..

        ..have fatty65536 go on a diet for being too corpulent and starving a couple of people with his excess in return.
    • Windows still there

      Well said except in the end this was Windows OS which I bet anything was running their systems. Maybe just maybe unix was somewhere in there, but all the front end and the places where the easiest place to hack was and always will be Windows. Now to give MS some credit for all we know the Windows they where using was Windows XP.
      • lol

        spoken like someone that has no idea what they're talking about...
      • easiest place to hack was and always will be Windows (NOT!)

        Then why has Windows taken a leadership position in all offical "hack tests" against all other operating systems????

        ps: It was *never* the "easiest place to hack" in the first place. Much of the data is skewed simply by the large number of systems and the potential volume of profitable information.
      • Windows...

        You're talking out of your arse and clearly have no idea how companies, the internet and hackers work.
      • Why is Windows being picked on?

        It seems reasonable that Windows is the most hacked system since it is the most widely used OS. I would imagine that any OS that gained the popularity of Windows would have similar problems.
    • NO

      Even if you are joking about AV, it's a terrible joke. as rtk pointed out, AV has nothing to do with hacks.

      Also, big brother has no interest in protecting you against hacking: FYI. They have EVERY interest, however, in hacking your system to look at what you're doing.
    • "Criminals" huh?

      I think it's good that hackers(or as they really are called), crackers, exist. Why? Because they show how easy it is to exploit some security holes in a system. I think some companies should hire people to crack the security on their systems so they can cover these security holes.
  • And they want us to use 'the cloud' for business?

    It seems to me that they worst thing one could do to secure your employers IP and personal records would be to use the cloud for data and then have one of these pirates bust into your service provider and steal your data along with every one else that uses that provider. Obviously using the internet for financial records is anything but secure.
  • PCI Security

    Payment Card Industries (PCI) security protocols interestingly enough focuses both on the fact that many breaches occur from within companies, or from disgruntled employees who have been fired, but whose access was not correctly shut down when the left. These sorts of employee related issues occur regardless of whether data is in a cloud or not. Credit card companies also charge high fees specficially so they can combat fraud and offer a guarntee of refunding fraudulent charges. We have gone so far into the digital financial world, there is little turning back now. Just keep the pressure on IT companies and credit companies, to ensure they don't quitely undermine consumer rights to hold the banks and card companies 100% responsible.
    • Sorry, but CC companies push all Fraud onto the merchants.

      I used to work retail, and every time a fraudulent card was used, we discovered it via a "chargeback" from Visa, MC, Amex, etc., who said it was our fault a card was used fraudulently, even thought Visa, MC, Amex, etc., all issued us a "validation" code that said the card was "safe" for us to accept at the register. The CC companies have insurance to re-imburse them for their losses, so they simply don't care about consumer fraud.
      • To combat this then

        Do what our company does, pass that cost on to the customer.
        Our rates add 6% to the CC charge to cover fraudulent charges. It's just business, nothing personal. When the odd chargeback does occur, we are covered.