Experts Say Global Payments' Breach May Not Be Only One

Global Payments' bank card security breach may only be part of the story.

April 2, 2012 — -- Global Payments Inc., the third-party payments processor that had 1.5 million bank card numbers hacked, claims he "incident is contained," though security experts say other transactions may have been compromised.

"I think there are more questions than answers," said Avivah Litan, vice president and analyst with Gartner Research, after Global Payments' conference call on Monday morning about the breach.

Visa removed Global Payments from its list of "compliant service providers" after the breach, though it said the processor can re-apply after it shows its security is "in compliance with Visa's standards."

Beverly Harzog, credit card expert with Credit.com, advised that if you have been affected by the breach, your bank will contact you and issue a new card and account number. But she said it's a good idea to call your bank and check on the status of your account even if you haven't been officially notified. The hackers reportedly obtained credit card account information, and no Social Security numbers, at least, and they can use this data to make counterfeit credit cards, Harzog said.

Consumers are only liable for $50 and, in a case like this, the bank is likely to waive that, she said. But she said consumers should go online a few times a week and check their credit card accounts frequently for unauthorized purchases.

"This situation is a good reminder that our credit information is never really completely safe," Harzog said. "So even if your account wasn't involved in this breach, it's a good idea to regularly take steps to ensure your account is safe."

Litan said there may be more than one breach in question, based on the released information from Visa, MasterCard, Global Payments and reports of even a breach with a taxi or parking company in New York City.

Brian Krebs, the security expert who reported about Visa and MasterCard's security breach on Friday, said GPS is only stating how many accounts it believes were 'exported,' which focuses on the number of accounts or card numbers that a forensics expert could reasonably argue were offloaded or downloaded from the company's systems.

"What GPS has not said is how many transactions they processed -- and potentially compromised -- during the time between when they discovered the breach," Krebs said, which was early March, according to Global Payments, "and when they 'contained' the breach [in late March]."

Krebs said the number of transactions or card numbers potentially exposed while the company was actively compromised "is probably far larger than the 1.5 million number they are citing in their statements, because those statements appear to be based on a figure that the company can say with relative certainty were downloaded or copied from its systems."

On Friday, Global Payments said in a statement that it believes the "affected portion of its processing system is confined to North America" and "less than" 1.5 million card numbers "may have been exported."

Though bank officials reportedly said Friday that Visa and MasterCard informed them the breach happened between late January and late February and hackers gained access to "Track 1" and "Track 2" data, which includes names, card numbers and validation codes, Global Payments said Track 2 card data may have been stolen.

Global Payments in the statement said, "the investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals."

A spokesman for Visa referred ABC News to Global Payments' announcement that Track 2 data was stolen. MasterCard did not immediately return a request for comment.

"Track 1" data generally refers to the information on the front of a bank card, said Litan. She said it is worrisome for consumers if either tracks are stolen, while "Track 2" is more worrisome for banks because they can be used to create counterfeit cards.

Visa said on Friday "there has been no breach of Visa systems, including its core processing network VisaNet."

Global Payments said, "based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained."

Global Payments said it has used different terminology than most companies in announcing a breach, Litan said.

"Typically when you disclose [a breach], you say how many cards were potentially compromised rather than exported, so the use of language is unusual," she said.

Krebs said "there also seem to be some questions about the timing of the breach, and whether the alerts from Visa and MasterCard that prompted me to first break this story were related to the GPS breach or were simply coincidental, and pertained to a separate, as-yet-undisclosed breach."

In an alert sent to card-issuing banks, the card associations said the window of vulnerability for the breached processor was between Jan. 21, 2012 and Feb. 25, 2012, Krebs wrote on his website on Monday.

"But GPS's statement on Friday said its own security systems identified and self-reported the breach, which it said was detected in early March 2012. So, to me, the open, unanswered question is: Was the initial alert by Visa and MasterCard that mentioned teh Jan. 21 to 25 dates related to this GPN breach or a separate one? If it was a separate one, was Global Payments involved?"

Krebs said he heard from two "reliable" law enforcement investigators who believe that this breach may be somehow connected to "Dominican street gangs in and around New York City," though he told ABC News he did not know any further information.

Litan said because the companies or law enforcement are in the middle of an investigation, it is "frustrating" to try to confirm information.

"No one at Global Payments, Visa, or Mastercard is talking," she said.

Litan said she heard an unconfirmed, similar report from her own "reliable" source that the breach "involves a taxi and parking garage company in the New York City area."

She wrote on the Gartner website that the crime involved a "Central American gang that broke into the company's system by answering the application's knowledge based authentication questions correctly." One possibility is that hackers took over an administrative account that was not protected sufficiently, she said.

Litan told ABC News the various reports from Global Payments, the credit card companies and law enforcement officials are "not adding up."

"A breach against a major processor is very different from a report from a parking garage in New York City," she said.

Krebs wrote in an email that "it is not clear yet, I think, how this breach will stack up against previous processing breaches, or whether we will truly ever know how many accounts or transactions the thieves could have viewed."