Credit card data breach involves all major brands
by Julianne Pepitone and Leigh Remizowski
NEW YORK (CNNMoney) — A data breach at a payments processing firm has potentially compromised credit and debit card information from all of the major card brands.
Global Payments, a company that processes card transactions, confirmed late Friday that “card data may have been accessed.” It says it discovered the intrusion in early March and “promptly” notified others in the industry.
Global Payments did not say how many accounts were affected, or what kind of information was compromised. A U.S. Secret Service spokesman said Saturday that the agency is investigating the incident.
A Wall Street Journal report from earlier Friday saying that Global Payments had been hacked sent the company’s shares down 9% before trading was halted. The stock did not resume trading before the market closed.
Global Payments did not say which card companies were affected, but Visa released a statement saying that it was all of the big players.
“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands,” it said.
Late Sunday, Visa spokeswoman Sandra Chu confirmed to CNN that Visa had removed Global Payments from its list of preferred credit-card processors.
When a customer swipes a credit card, the data is sent to a payment processor like Global Payments, which then forwards the transaction information to card companies like Visa and MasterCard.
That’s a massive business: Global Payments processed $167.3 billion worth of transactions in its last fiscal year, which ended May 31, 2011. Global Payments specializing in serving small merchants, like mom-and-pop businesses and local retailers.
It emphasized that none of them were to blame for the data leak.
“It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” Global Payments said.
It plans to hold a conference call Monday morning to provide more details on the debacle.
‘Massive’ breach? News of the breach was first reported by the respected security blog Krebs on Security. The blog said the breach was “massive,” and could involve more than 10 million card numbers.
“I’ve spoken with folks in the card business who are seeing signs of this breach mushroom,” Gartner security analyst Avivah Litan wrote Friday in a blog post.
Her sources say the hackers have begun using some of the card data they stole, Litan added.
When payment processors get hacked, the shrapnel can spread far. The record holder for the largest-ever breach is believed to be a 2008 attack on Heartland Payment Systems, in which an estimated 130 million customer accounts were compromised.
Heartland eventually paid more than $110 million to Visa, MasterCard, American Express and other card associations to settle claims related to the breach.
In regard to the Global Payments breach, MasterCard said it has alerted payment card issuers “regarding certain MasterCard accounts that are potentially at risk.”
Visa released a statement saying it too has provided card issuers with notifications about accounts that could be affected. The issuers “can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards,” it said.
Both MasterCard and Visa emphasized that their own networks had not been penetrated.
Discover and American Express each released short statements saying they are aware of the situation and are monitoring customer accounts for suspicious activity.
In data breach situations, credit card companies generally offer affected customers fraud monitoring services at no cost — and customers aren’t on the hook for any fraudulent charges. The card issuers themselves are responsible for those costs.
Questions about industry standards: Several security researchers said the breach is a prime example of why the current Payment Card Industry Data Security Standard (PCI-DSS) is inadequate.
“Expect to see yet another round of almost religious fervor in the debate over the real value of PCI-DSS,” Geoff Webb, director of product marketing at data-protection company Credant Technologies, said in an email.
Cybercriminals “are constantly looking for opportunities to identify and attack sites where there is a weakness in security — just like a predator looks out for the weakest member of the herd,” he added.
Litan, the Gartner analyst, is skeptical about whether the credit card industry will invest the money and time required to switch to a more secure system, like “smart cards” embedded with chips, which are used in some foreign countries.
“It’s cheaper for them to deal with these breaches than to make all those chip cards,” Litan told CNNMoney. “We’ve had all of these breaches, but there have not been any significant attempts to change the situation. The information is easy to steal, and cards are easy to use, so it’s like free money for criminals.”
– CNN’s Miguel Susana contributed