Friday, March 30, 2012
Trading on Global Payments stock was halted Fri., March 30, 2012, after the reports of the breach surfaced. Before trading was stopped Global Payments' stock prices fell just over 22 percent to $47.50. At press time on March 30, Visa stocks were down 0.5 percent and MasterCard stocks had fallen 0.9 percent in an otherwise up day for the market.
Global Payments did not respond to a request for comment. A FAQ link on the company's website said, in part, "We are aware that individuals attempting to perpetuate fraud, via the Internet and otherwise, may be using the Global Payments' name or a Global Payments' product name, (Global Transport and logo) to deceive consumers." The company urges customers who believe they have been victimized by fraud to visit the government's Internet Crime Complaint Center at www.ic3.gov and file a complaint.
The break-in was first reported by the blog Krebsonsecurity.com authored by former Washington Post reporter Brian Krebs. He said, according to alerts sent out by MasterCard and Visa to financial institutions last week, Global Payments was compromised between Jan. 21 and Feb. 25, 2012.
Krebs said the thieves were able to acquire enough data to counterfeit new cards. Krebs quoted sources saying more than 10 million card numbers may have been compromised. He then went on to say PSCU Financial, a nonprofit cooperative credit union service organization, told its members 56,455 Visa and MasterCard accounts had been compromised, but fraud was found to have occurred in only 876 accounts so far.
MasterCard Worldwide and Visa Inc. both issued statements acknowledging they are investigating a data breach at what Visa called a "third party entity" and MasterCard referred to as a "U.S.-based entity."
Visa's statement statement referred to "a potential data compromise incident" involving "all major card brands." The company emphasized Visa systems were not breached and reminded the public of its zero liability fraud protection policy.
"Every business that handles payment card information is expected to protect the security and privacy of their customers' financial information by adhering to the highest data protection standards," Visa stated, adding it is taking a proactive approach to news of the breach. "Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards."
MasterCard said in its statement it is alerting payment card issuers of "certain MasterCard accounts that are potentially at risk" because of the data breach. "Law enforcement has been notified of this matter and the incident is currently the subject of an ongoing forensic review by an independent data security organization," MasterCard said. "It is important to note that MasterCard's own systems have not been compromised in any manner."
Discover Financial Services spokeswoman Laura Gingiss said her company is aware of the breach reports and is monitoring accounts for suspicious activity. She said the card company "will reissue plastics as appropriate" and pointed out Discover customers have no liability for incidents of fraud.
Mark Bower, Vice President of Voltage Security Inc., said payment processors such as Global Payments have been a target of attacks for years. "If there's one industry that absolutely needs to adopt a data-centric security strategy to mitigate breach risk, it's the payments industry," he said. "And the writing is on the wall for those payment acquirers that don't. The PCI Council recognizes these risks, so it should be no surprise if an organization that relies on older perimeter security strategies is breached and lands on the front pages of newspapers."
Joe Levy, Chief Technology Officer for the security intelligence and analytics company Solera Networks, said, "It would not be surprising if the investigation slowly reveals that the breach involved techniques such as web application exploitation, maneuvering from a compromised public system into the internal systems and that the presence on the network was a longer-term than estimated.
"These tend to be common characteristics of these kinds of events. And it underscores the fact that perimeter defenses are imperfect and will almost always be breached by a sufficiently motivated adversary. It also illustrates the insufficiency of our current incident response practices."
The reports of the data breach brought a quick response from Congresswoman Mary Bono, R-Calif., Chair of the House Subcommittee on Commerce, Manufacturing and Trade. Bono is co-author of the pending Secure and Fortify Electronic (SAFE) Data Act. "You shouldn't have to cross your fingers and whisper a prayer when you type in a credit card number on your computer and hit 'Enter,'" she said.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
