Global Payments Says 1.5 Million Cards Stolen; Won’t Discuss Details of Breach

Photo: Jim Merithew/Wired.com

About 1.5 million cards were potentially stolen by hackers in the recent breach of Atlanta-based card processor Global Payments Inc, according to a statement released by the company on Sunday.

The figure is many millions less than estimates reported on Friday that suggested more than 10 million cards might have been taken by thieves.

In a conference call with investors Monday morning, CEO Paul R. Garcia told listeners that the breach had been limited to a “handful of servers” in its North American processing system and that contrary to news reports no fraudulent activity had been seen on any of the cards yet.

Reports on Friday, when news of the breach first broke, had indicated that fraudulent activity had been spotted on about 800 of the stolen accounts.

Garcia, who fielded mostly softball questions from investors but refused to take questions from reporters on the call, told listeners that the company had spotted the breach on its own about three weeks ago, but wouldn’t say specifically when that occurred or how long the intruders were in the company’s network before they were discovered.

“I can’t be terribly specific,” he said in the call, adding that the company reported the breach to law enforcement and card associations “within hours” of discovering it.

Unlike most breaches that are only discovered months after the intrusion and generally only after Visa, MasterCard and other members of the card industry notice a pattern of fraudulent activity on accounts, Garcia claimed his company discovered the breach on its own.

“We had security measures in place that caught it,” he said. He acknowledged, however, that while the company’s loss-prevention software spotted data being exfiltrated from the company’s servers, it hadn’t prevented the data from going out in the first place.

“So partly it worked and partly it didn’t,” he told investors. He said the company would be investing in additional security.

According to notices that Visa and MasterCard sent to banks recently, the breach occurred sometime between Jan. 21 and Feb. 25, suggesting the breach had occurred at least several weeks before it was discovered.

A notice sent by credit union service organization PSCU to its customers indicated that Visa alerted it on Mar. 23 that 46,194 Visa accounts might have been compromised.

Security blogger Brian Krebs, who broke the story of the breach, had quoted sources saying that at least 800 cards were involved in fraudulent activity and reported that both Track 1 and Track 2 data had been taken. Garcia said during the earnings call that only Track 2 data had been stolen and he was not aware of fraudulent activity on any of the 1.5 million accounts believed to have been at risk.

Cardholder names, addresses and Social Security numbers were not obtained by the criminals, he said. Track 2 data generally contains the card account number and expiration date, along with other data.

Though Global Payments was certified compliant with the Payment Card Industry security standards prior to the breach, Visa announced over the weekend that it had removed the company from its compliance list, pending a forensic investigation to determine if it had indeed been compliant.

Garcia acknowledged that his company would be on the hook for covering the cost of issuing replacement cards to customers and could face fines from Visa, MasterCard and other card companies as a result of the breach.

The company has created a website for consumers to visit to obtain more information.

The Global Payments breach is much smaller compared to the last big breach of card processors, which occurred in 2008 against Heartland Payment Systems. That breach, which had been ongoing for more than year before the company discovered the intruders, resulted in more than 100 million cards potentially compromised. The breach cost Heartland more than $12 million in legal fees and fines.

Hacker Albert Gonzalez was sentenced in March 2010 to an unprecedented 20 years in prison for his role in connection to that breach.