After being named by the Wall Street Journal earlier today, Global Payments Inc. has issued a press release about the breach reported earlier today by Brian Krebs:
Global Payments Inc, a leader in payment processing services, announced it identified and self-reported unauthorized access into a portion of its processing system. In early March 2012, the company determined card data may have been accessed. It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact. The company is continuing its investigation into this matter.
“It is reassuring that our security processes detected an intrusion. It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” said Chairman and CEO Paul R. Garcia.
Global Payments will hold a conference call Monday, April 2, 2012 at 8:00 AM EDT.
[…]
And that’s all they wrote in the way of details. For now, anyway.
Update 1: John Ribeiro reports late Sunday night, Global Payments stated that up to 1.5 million accounts’ information may have been “exported.” Names and addresses were not involved. Not surprisingly, and as it has done in the past with others, Visa dropped them from the list of compliant service providers until they get re-certified as PCI DSS compliant. Global is holding a conference call this morning so there may be additional updates then. Their updated press statement from Sunday can be found here.
Update 2: In the conference call this morning, Global Payments firmly denied that it had had any previous breach (which had been reported by the New York Times, who attributed the allegation to “two individuals briefed on the investigations who spoke on condition of anonymity because they were not authorized to speak publicly.”). In discussing the breach, Paul Garcia, Chairman and CEO of Global Payments, noted that a lot of information that had been floating around about the breach was unhelpful and “incredibly inaccurate.” Other than denying the specific allegation that this was not their first breach, they did not give specifics on what other rumors were inaccurate.
A few other details came out in the conference call, including that the breach involved only a “handful” of their servers in their North American system. Details of the attack were not disclosed as it is still under investigation by both forensics teams and criminal investigators but only Track 2 data were involved, and the firm is fairly confident in its 1.5 million estimate for number affected. They say they are not aware of any fraudulent transactions as a result of the breach but have set up a web site that will go live at some point today to assist consumers: www.2012infosecurityupdate.com. At this point, the firm believes the breach has been contained and that any costs they may incur will be manageable.
From what we know, the Global Payments hackers may have managed to gain access to Track 2 data, which includes the account number, the card’s expiration date and some other pieces of data, but not the cardholder’s name, address, SSN and the card security code. So cardholders should now be on a high alert for phishing attacks, which may be employed by the criminals as a way to obtain the missing data. Of course, that depends on the hackers having obtained their victims’ email addresses, which we don’t know.
No indication of any e-mail addresses. And I wouldn’t expect there to be in a routine card transaction.