UPDATED–Global Payments, the payment-processing company that was the victim of a massive data breach revealed last week, said that the attack appears to have compromised something less than 1.5 million credit card numbers and that the attack looks to have been isolated to the network in North America. However, there are some details of the incident that are raising questions in the security community about the timing of the intrusion and what data was taken.
The attack on Global Payments is the latest in a string of such intrusions at payment processors and data warehousing companies that store and sell vast amounts of consumer information. The most well-known such attack probably was the compromise of Heartland Payment Systems in 2009, an attack that had a cascading effect throughout the industry. It’s unclear at this point what the long-term effects of the intrusion at Global Payments will be, but the theft of 1.5 million credit card numbers, including full Track 2 data, is a major event.
For its part, Global Payments is saying right now that it believes the incident has been “contained” and that customers’ Social Security numbers, names and addresses were not compromised.
“The company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported. The investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals. Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained,” the company said in a statement.
Global Payments held a conference call for investors on Monday morning about the breach and officials said that the attack occurred sometime in early March. In its warning to banks last week, Visa said that the incident it was reporting had occurred between late January and late February. Visa’s statement also said that both Track1 and Track2 data had been compromised, but Global Payments officials said that it believes only Track2 data was taken.
Paul R. Garcia, chairman and CEO of Global Payments, said on the call that there was a lot of misinformation about the incident floating around.
“Approximately three weeks ago, we identified that cardholder data may have been taken. We jumped on this instantly,” Garcia said. “We found this and we reported this within hours. There are parts of this we still need to resolve and button up, but it’s absolutely contained to the best of our knowledge. There’s a lot of rumor and innuendo floating around out there that’s not helpful to anyone and a lot of it is incredibly inaccurate.”
Garcia did not specify exactly what information he was referring to, but he emphasized that the breach only affected a small number of Global Payments’ own servers and did not involve any of its partners or merchants. He did note, however, that Visa has removed the company from its PCI compliance list. That doesn’t mean that the company can’t process Visa payments, which it is still doing.
Garcia also denied that Global Payments had experienced other security incidents of this scope in the past and had failed to report them.
“There’s a rumor out there that we were aware of a data intrusion a year ago, and the answer is no,” he said. “This is the first incident and we hope it’s the last. This is an ongoing process and we’re getting better and stronger every day.”
Word of a breach at a major payment processor began to leak out on Friday morning and within a few hours Global Payments had been identified as the company in question. Later in the day, the company itself acknowledged the breach and both Visa and MasterCard released statements warning customers that some data had been compromised.
Garcia said on the conference call that the company is confident that it has a good handle on the scope of the breach, but that it’s not out of the question that new details could emerge that change that.
“We don’t have complete clarity of information, but we all believe that [1.5 million] number to be a reasonable limit,” Garcia said. “We have a high degree of confidence in that number.”