Krebs said "there also seem to be some questions about the timing of the breach, and whether the alerts from Visa and MasterCard that prompted me to first break this story were related to the GPS breach or were simply coincidental, and pertained to a separate, as-yet-undisclosed breach."
In an alert sent to card-issuing banks, the card associations said the window of vulnerability for the breached processor was between Jan. 21, 2012 and Feb. 25, 2012, Krebs wrote on his website on Monday.
"But GPS's statement on Friday said its own security systems identified and self-reported the breach, which it said was detected in early March 2012. So, to me, the open, unanswered question is: Was the initial alert by Visa and MasterCard that mentioned teh Jan. 21 to 25 dates related to this GPN breach or a separate one? If it was a separate one, was Global Payments involved?"
Krebs said he heard from two "reliable" law enforcement investigators who believe that this breach may be somehow connected to "Dominican street gangs in and around New York City," though he told ABC News he did not know any further information.
Litan said because the companies or law enforcement are in the middle of an investigation, it is "frustrating" to try to confirm information.
"No one at Global Payments, Visa, or Mastercard is talking," she said.
Litan said she heard an unconfirmed, similar report from her own "reliable" source that the breach "involves a taxi and parking garage company in the New York City area."
She wrote on the Gartner website that the crime involved a "Central American gang that broke into the company's system by answering the application's knowledge based authentication questions correctly." One possibility is that hackers took over an administrative account that was not protected sufficiently, she said.
Litan told ABC News the various reports from Global Payments, the credit card companies and law enforcement officials are "not adding up."
"A breach against a major processor is very different from a report from a parking garage in New York City," she said.
Krebs wrote in an email that "it is not clear yet, I think, how this breach will stack up against previous processing breaches, or whether we will truly ever know how many accounts or transactions the thieves could have viewed."