Over 1.5 million Visa, MasterCard credit card numbers stolen?

U.S.-based credit card processor company Global Payments is about to announce more details about the security breach that recently saw millions of credit card numbers stolen. It doesn't look good.
Written by Emil Protalinski, Contributor

Global Payments, the U.S.-based credit card processor company that experienced a security breach affecting plastic issued from Visa and MasterCard, is about to release more information about the attack. Last time, the firm said the breached portion of its processing system was confined to North America and that less than 1.5 million credit card numbers were stolen. The timeframe during which Global Payments was hacked, however, has significantly grown. In other words, the hack could have been much worse.

Krebs on Security reports (emphasis mine):

A hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week. The disclosures offer the first additional details about the length of the breach since Global Payments acknowledged the incident on March 30, 2012.

Visa and MasterCard send periodic alerts to card-issuing banks about cards that may need to be re-issued following a security breach at a processor or merchant. Indeed, it was two such alerts — issued within a day of each other in the final week of March — which prompted my reporting that ultimately exposed the incident. Since those initial alerts, Visa and MasterCard have issued at least seven updates, warning of additional compromised cards and pushing the window of vulnerability at Global Payments back further each time.

News broke late in March that Visa and MasterCard had warned banks of a major potential breach at a U.S.-based credit card processor. Both Visa and MasterCard then confirmed the breach, although the two also emphasized their own security systems were not compromised. Soon after, Global Payments confirmed it had identified unauthorized access into its processing system.

Previous reports suggested that full Track 1 and Track 2 data was taken, which means perpetrators got enough to counterfeit new cards. Global Payments' investigation to date has revealed that Track 2 card data may have been stolen, but the company is still not sure. On the other hand, Global Payment was confident enough to say that cardholder names, addresses, and social security numbers were not obtained by the criminals.

Estimates ranged from 50,000 to 10 million credit cards, but Global Payments reduced that to just 15 percent of the upper bound. Is that number about to jump?

The origin of the hack is still unknown. I will update you when Global Payments issues its statement (reportedly later today).

Update at 7:00 PM PST - Global Payments is keeping the estimate the same. The investigation is ongoing. Here is the FAQ:

Why have card brands removed you from their list of PCI Compliant Service Providers? Based on our announcement of unauthorized activity in a limited segment of our North American processing system, some card brands removed us from their list of PCI compliant service providers. They have requested we revalidate our PCI status, which we will do following the current investigation. We anticipate that we will be re-instated to those lists at the conclusion of the re-validation and any required remediation.

Can you continue to process transactions? Yes. Global Payments will continue to process transactions for all card brands with the same high level of service our customers have come to expect.

Were fraud alerts issued on more cards than 1.5 million card numbers you reported? Yes. In any matter of this nature, the card brands cast a wide net to protect consumers, and we supply as much information as possible to assist over the course of the investigation. We continue to believe that less than 1.5 million card numbers may have been exported.

Do you expect to release additional card numbers? The company has delivered, and may continue to deliver, card numbers to the card brands and other third parties to help thwart criminals and combat fraud.

What does "exported" mean? Taken or stolen from our network.

Could there be broader time periods in question? We have not publicly communicated any time periods and there is a full investigation underway. It would be premature and inappropriate for us to speak to or confirm any timeframes until the investigation is complete. We identified and self-reported this incident in early March, and we will continue to provide information to the appropriate parties as revealed by the investigation.

See also:

Editorial standards