DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Global Payments’ security FAIL compounded by transparency FAIL?

Posted on April 3, 2012 by Dissent

A data breach doesn’t necessarily have to be fatal to a business but there are entities that seem to shoot themselves in the foot when it comes to breach response. Did Global Payments suffer self-inflicted public relations injury this past week when they didn’t get ahead of the story? And how will their failure to directly address swirling rumors about a larger brach affect investors?

Chronology

On March 23, CUSO started receiving notifications of a data breach. But Global Payments, Inc.  (stock symbol: GPN) did not publicly disclose or acknowledge any breach until March 30 – one week later – after Brian Krebs broke the story of a breach at an unnamed credit card processor.  Although Brian didn’t name Global, The Wall Street Journal did later that day.  It was only after the media storm over a possibly “massive” breach had started that GPN went public.  By then, stock prices had tumbled over 9% before trading was halted. Estimates of the number of customers affected varied wildly in news reports that day between 50,000 and 10 million.

On Saturday, the New York Times repeated reports first made on Friday that the GPN breach occurred between late January to late February, 2012 and that it included both Track 1 and Track 2 data.  Neither of those points had been addressed in GPN’s press release on Friday. Significantly, NYT also reported that this was not Global Payment’s first breach:

This is the second breach at Global Payments in the last 12 months, according to two individuals briefed on the investigations who spoke on condition of anonymity because they were not authorized to speak publicly.

Two individuals who had been briefed on the investigation were both saying they had been told this was Global’s second breach? Surely, then, GPN would be in possession of such information or be in  a position to respond to that claim. On Sunday night, GPN issued an updated statement that said, in part:

The company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported.  The investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals.

The statement did not address claims that this were their second breach and did not disclose when the breach occurred. Nor did the statement address other reports that the breach may have involved NYC taxis and parking garages as well as a Dominican criminal gang.

And did they have no breach management firm on board to advise them to control the story before some details – like removal from Visa’s approved list – were revealed by others? Removal from Visa’s approved list is Visa’s standard operating procedure in such cases. GPN could have presented it as such instead of letting the media reveal it in screaming headlines.

A “Data Breach Conference Call” Doesn’t Take a Single Question from Breach Reporters?

On Monday morning, GPN held a conference call (webcast) that was supposed to address the data breach. The questions they took were from analysts or about financials. Not one regular security or breach reporter got to ask a question. I didn’t bother getting in the queue to ask questions because I figured Brian Krebs, Kim Zetter or one of a number of other well-known security reporters or bloggers would ask what I wanted to know.  But GPN did not take any questions from any of those who were on the call to really discuss the data breach. Not one hard question about the breach got asked or answered. Not one. I posted a brief recap of the call yesterday in Update 2.

The conference call did nothing to stop the rumor mill because GPN never took serious questions on the actual breach. Brian has information from hackers that needs to be either refuted or investigated.  The NYT also has sources with disturbing information.  None of that was aired or addressed.

Nor did Global’s CEO Paul Garcia explain why PSCU reportedly stated there had already been 876 cases of fraud . He claimed  they were not aware of any fraud associated with the breached card numbers.  Are they not aware because they haven’t asked for such data or are they suggesting the report of PSCU’s statement was incorrect?  No breach reporter got to put that question to them, either, even though Gartner analyst Avivah Litan had already said she had reports of misuse and that the breach was “mushrooming.”

GPN also didn’t address whether they had been storing Track data (which would be a PCI violation) or if the data were being exfiltrated in real-time  – because no breach reporter got to ask them that question.

And they didn’t address why they continued to process transactions once they became aware of a breach in early March. As Brian tweeted after the call, how many more transactions did they process (alternatively, how many more customers were put at risk) during the period between discovery and containment?

Analysts have one set of questions. Breach reporters have very different questions.  Global Payments wasted our time yesterday morning with its faux conference call on the data breach. They now owe me one hour of sleep.

GPN’s stock fell another 3% in yesterday’s trading and the rumors that continue to swirl will likely make investors nervous as they gain more media coverage.

Perhaps GPN should consider scheduling a real conference call on the data breach where those who report on breaches actually get to ask the questions. Or if they would care to submit a statement to DataBreaches.net that addresses these questions, I’ll post their answers although such answers generally tend to be non-responsive  and raise more questions than they answer.

How about some greater transparency, GPN? Or would you prefer to continue to self-inflict public relations harm and leave investors wondering about all the questions you haven’t yet really answered?

Category: Commentaries and Analyses

Post navigation

← PBS Hacked and Loads of Data leaked by Anonymous
Baylor Law Screw-Up Reveals Personal Data of Entire Admitted Class: Data That We’ve Got →

2 thoughts on “Global Payments’ security FAIL compounded by transparency FAIL?”

  1. Adam says:
    April 3, 2012 at 2:16 pm

    Good points, still more questions than answers. Looks like Brian got some proof of previous breach…

    1. admin says:
      April 3, 2012 at 2:31 pm

      If you’re referring to the internal disaster recovery document, then yes, if it’s legit, he’s got some evidence of an intrusion. But that could be any time after May 2010, and it doesn’t provide enough evidence to prove an early 2011 intrusion with hackers sitting inside for a year stealing data. I’m sure he’ll stay on it and will share more of what he finds out.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.