The data breach that hit payment processor Global Payments earlier this year could have dated back to June 2011, launching speculation over whether more credit card numbers were stolen than initially reported.
Several alerts issued by Visa and Mastercard, obtained by KrebsonSecurity.com, suggest the time frame that cards were potentially breached has been stretched back to December, August and June of last year. This of course is a far cry from the initial time span, from Jan. 21, 2012 to Feb. 25, 2012, that Global Payments reported in April.
In an update to their ‘Information Security Update’ site Tuesday, Global Payments also admitted that some credit card payment networks have removed the company from their lists of approved “Payment Card Industry (PCI) compliant” vendors. According to a FAQ on the site, the card brands have apparently asked Global Payments to revalidate their PCI status before continuing business with the company.
Citing an ongoing investigation, Global Payments wouldn’t officially comment on the breach’s timeline.
“It would be premature and inappropriate for us to speak to or confirm any timeframes,” reads one section of the FAQ.
While the FAQ assures that less than 1.5 million card numbers were taken, it notes that fraud alerts were issued for more cards than the 1.5 million originally reported.
The ‘Information Security Update’ site is the first time the company has divulged additional information regarding the breach since a conference call in early April.
News broke in late March that Atlanta-based Global Payments, which handles payments for both Visa and Mastercard, was hacked earlier that month. Visa and Mastercard initially alerted banks that there was a breach at a “U.S. based card processor” before Global Payments accepted blame. The company was mum at first but later admitted that 1.5 million credit card numbers had been stolen from North American users in the breach.