Merchants and consumers could be the big losers in the latest case of hackers cracking the complex systems used to process credit and debit card transactions.
Visa and MasterCard acknowledged Friday that they've been alerting banks about a major breach at Global Payments, an Atlanta-based payment card processing firm.
Global Payments issued a statement late Friday saying it discovered the breach in March and reported it to industry officials and the FBI. The company scheduled a press conference for Monday morning.
Gartner banking security analyst Avivah Litan says unverified reports point to a New York City street gang with Central American ties taking control of "an administrative account that was not protected sufficiently."
"I've spoken with folks in the card business who are seeing signs of this breach mushroom," says Litan.
Security blogger Brian Krebs, who broke the story, says thieves cracked into the Global Payments network between Jan. 21 and Feb. 25. He says they may have swiped more than 10 million credit and debit card transactions records. .
MasterCard issued a statement advising cardholders to contact the financial institution that issued their cards with any concerns. Visa emphasized that no Visa systems were breached.
But criminals generally don't bother highly defended systems, and look for security flaws elswhere. "Sooner or later they find some weakness in the highly complex chain of systems that they can exploit," says Geoff Webb, of data security firm Credant Technologies.
Credit card processors have been breached before. Heartland Payment Systems lost 130 million payment card records generated by 250,000 merchants and restaurants between 2008 and 2009.
And it's not just card processors that are being targeted. Last year hackers stole payment card information for more than 100 million customers of Sony's PlayStation Network.
And earlier this year online shoe retailer Zappos disclosed hackers took e-mail and shipping addresses, phone numbers and account passwords for some 24 million customers, data useful for identity theft.
"Any business that's capturing payment data is a target," says Mark Bower, analyst at Voltage Security.
Gangs are adept at quickly manufacturing faked debit cards to make large cash withdrawals from ATMs. In such cases the individual's cash goes missing until a theft is reported and reimbursement carried out, which can take several days.
"You should always be watching your statements for unauthorized transactions; but right now people should be extra vigilant," says Steve Coggeshall chief technology officer at ID Analytics.
Retailers are also acutely exposed. Some 46 states have now enacted data breach disclosure laws that require merchants to notify customers whose card numbers are stolen.
Many of these data loss disclosure laws impose stiff fines if notifications are not done in a timely manner, says Ted Julian, of Co3, a Cambridge, Mass.-based start-up that helps retailers manage the repercussions of credit card theft.
Massachusettes has begun levying such fines. Other states could see a windfall in fines levied against merchants who are slow to notify consumers that their payment card data, credit or debit card number is in criminals' hands. "Merchants are definitely on the hook for these state disclosures, because they are the ones who have the consumer relationship," Julian says.