Experts Say Global Payments' Breach May Not Be Only One

Global Payments' bank card security breach may only be part of the story.

ByABC News
April 2, 2012, 9:41 AM

April 2, 2012 — -- Global Payments Inc., the third-party payments processor that had 1.5 million bank card numbers hacked, claims he "incident is contained," though security experts say other transactions may have been compromised.

"I think there are more questions than answers," said Avivah Litan, vice president and analyst with Gartner Research, after Global Payments' conference call on Monday morning about the breach.

Visa removed Global Payments from its list of "compliant service providers" after the breach, though it said the processor can re-apply after it shows its security is "in compliance with Visa's standards."

Beverly Harzog, credit card expert with Credit.com, advised that if you have been affected by the breach, your bank will contact you and issue a new card and account number. But she said it's a good idea to call your bank and check on the status of your account even if you haven't been officially notified. The hackers reportedly obtained credit card account information, and no Social Security numbers, at least, and they can use this data to make counterfeit credit cards, Harzog said.

Consumers are only liable for $50 and, in a case like this, the bank is likely to waive that, she said. But she said consumers should go online a few times a week and check their credit card accounts frequently for unauthorized purchases.

"This situation is a good reminder that our credit information is never really completely safe," Harzog said. "So even if your account wasn't involved in this breach, it's a good idea to regularly take steps to ensure your account is safe."

Litan said there may be more than one breach in question, based on the released information from Visa, MasterCard, Global Payments and reports of even a breach with a taxi or parking company in New York City.

Brian Krebs, the security expert who reported about Visa and MasterCard's security breach on Friday, said GPS is only stating how many accounts it believes were 'exported,' which focuses on the number of accounts or card numbers that a forensics expert could reasonably argue were offloaded or downloaded from the company's systems.

"What GPS has not said is how many transactions they processed -- and potentially compromised -- during the time between when they discovered the breach," Krebs said, which was early March, according to Global Payments, "and when they 'contained' the breach [in late March]."

Krebs said the number of transactions or card numbers potentially exposed while the company was actively compromised "is probably far larger than the 1.5 million number they are citing in their statements, because those statements appear to be based on a figure that the company can say with relative certainty were downloaded or copied from its systems."

On Friday, Global Payments said in a statement that it believes the "affected portion of its processing system is confined to North America" and "less than" 1.5 million card numbers "may have been exported."

Though bank officials reportedly said Friday that Visa and MasterCard informed them the breach happened between late January and late February and hackers gained access to "Track 1" and "Track 2" data, which includes names, card numbers and validation codes, Global Payments said Track 2 card data may have been stolen.

Global Payments in the statement said, "the investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals."

A spokesman for Visa referred ABC News to Global Payments' announcement that Track 2 data was stolen. MasterCard did not immediately return a request for comment.

"Track 1" data generally refers to the information on the front of a bank card, said Litan. She said it is worrisome for consumers if either tracks are stolen, while "Track 2" is more worrisome for banks because they can be used to create counterfeit cards.

Visa said on Friday "there has been no breach of Visa systems, including its core processing network VisaNet."

Global Payments said, "based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained."

Global Payments said it has used different terminology than most companies in announcing a breach, Litan said.

"Typically when you disclose [a breach], you say how many cards were potentially compromised rather than exported, so the use of language is unusual," she said.