UPDATE–MasterCard and Visa have confirmed that they are investigating a potentially huge data breach at one of the companies’ payment processors, which the Wall Street Journal has identified as Global Payments Inc.
The credit card giants are alerting banks about a breach at a U.S. based card processor that occurred between late January and late February, 2012. The exact size of the breach is unknown, but may involve more than 10 million compromised cards, Krebsonsecurity reports. Global Payments Inc. did not respond to a request for comment. The company halted trading Friday afternoon as news broke of the breach, sending shares of the company down nine percent.
The data stolen may include full Track 1 and Track 2 information, which would make it easy for criminals to create counterfeit cards using the stolen data. Krebs reports that the stolen data may already have been used to make illegal purchases. He cites a warning on Wednesday from PSCU, a firm that provides financial services to credit unions, that 876 accounts were identified that had fraudulent activity, out of more than 56,000 at member banks that could have been compromised in the breach.
Both Visa and MasterCard now have confirmed that they are investigating the breach.
“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet. Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards,” the company said in a statement.
“It’s important for U.S. Visa consumer cardholders to know they are protected against fraudulent purchases with Visa’s zero liability fraud protection policy, which exceeds federal safeguards. As always, Visa encourages cardholders to regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity.”
Merry Pateuk, director of public relations at PSCU, confirmed that her employer issued a warning this week. She said her company was notified by Visa and MasterCard of the breach on March 23. The St. Petersburg, Florida company processes debit- and credit card transactions on behalf of around 700 credit unions across the U.S. She said the impact on her organization was “not tremendous,” and disputed reports that 56,000 customers of its credit unions were affected.
“The number was smaller than that, after we went through and removed duplicate- and inactive accounts,” she said. Pateuk declined to say how much smaller the total number of compromised accounts was. She also declined to say how many accounts had been used for fradulent purchases, but disputed reports that 876 accounts of customers were found to have been used fraudulently. “I don’t know where that number comes from,” she said.
PSCU has notified its customers of the affected accounts and advised them to monitor those accounts for signs of fraud.
Sophisticated hackers have targeted credit card processors before, with the most prominent example being the attack on Heartland Payment Systems in 2009, which turned out to be one of the larger such compromises in history.