Breach Hits Card Processor Global Payments
As posted on March 30, 2012 on www.online.wsj.com
By Robin Sidel and Andrew R. Johnson
Global Payments Inc., GPN -9.06% which processes credit cards and debit cards for banks and merchants, has been hit by a security breach that has put some 50,000 cardholders at risk, according to people with knowledge of the situation.
The full extent of the breach couldn't be determined, one of the people said. It wasn't immediately clear if cardholders have been hit by fraudulent transactions.
Representatives of Atlanta-based Global Payments, a so-called third-party processors of payment cards, including debit cards, credit cards, and gift cards, couldn't be reached for comment.
The news comes as MasterCard Inc. MA -0.83% and Visa Inc. V -0.44% have been alerting their card-issuing bank customers about the potential breach. It wasn't immediately known if the banks are planning to reissue cards to their customers.
MasterCard said law enforcement has been notified of the matter and an "independent data security organization" is conducting a forensic review of the matter.
"MasterCard's own systems have not been compromised in any manner," a company spokesman said in a statement. The company will "continue to both monitor this event and take steps to safeguard account information."
The spokesman declined to say how many cards may have been compromised or how many banks it is notifying.
Visa said in a statement that it is aware of a possible compromise involving a "third-party entity" affecting card account information from all major card brands.
"There has been no breach of Visa systems, including its core processing network VisaNet," the company said. Visa said it has provided banks with affected account numbers "so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards."
A notice Visa has sent to banks said it had been notified of a security breach within a third-party payment processor. The estimated window for the breach was Jan. 21 and Feb. 25, according to a copy of the notice reviewed by The Wall Street Journal.
"The network intrusion may have put accounts at risk of being stolen," Visa said in the notice, adding that a forensic company is working with the company in question and the U.S. Secret Service is also investigating the breach. "The investigation is still in the early stages and if additional accounts are determined to be at risk" additional alerts will be distributed.
Visa has a zero-liability fraud policy that "exceeds federal safeguards" and protects Visa cardholders against fraudulent purchases but encourages cardholders to "regularly monitor their accounts" and notify their banks "promptly of any unusual activity," the company said.
Some recent and large examples of data breaches
|Global Payments||January - February 2012||Details unknown, estimated 50,000 card accounts at risk|
|Citigroup||May 2011||Card numbers, names, email addresses from 360,000 accounts|
|*Epsilon Data Management||April 2011||Customer names, email addresses accessed|
|Heartland Payment Systems.||January 2009||Card numbers, expiration dates, internal bank codes stolenn|
|TJX Cos.||January 2007||Up to 90 million credit, debit card numbers stolen|
|CardSystems Solutions||June 2005||40 million cards exposed|
*unit of Alliance Data Systems Corp.
Visa and MasterCard don't lend or issue cards to consumers; rather, they handle transactions for banks that issue their cards and those that handle transactions for merchants.Visa has more than 648 million U.S. credit, debit and prepaid cards and MasterCard has more than 308 million U.S. credit, debit and prepaid cards in the market, according to the Nilson Report, a payments-industry newsletter.
Bank of America Corp., BAC +0.10% J.P. Morgan Chase JPM +0.79% & Co., Capital One Financial COF -1.04% Corp., Wells Fargo WFC +0.24% & Co. and Citigroup Inc. C +0.14% are among the largest issuers of Visa and MasterCard cards.
First Data Corp., an Atlanta-based processor that competes with Global Payments, said it wasn't involved in the matter. Card-issuing banks "should look to card brands for information, which is the standard practice for the brands," First Data said in a statement.
A spokeswoman for Bank of America said she couldn't comment on a specific breach but said it will notify customers and reissue their cards if they believe their information has been compromised at a third-party location.
The breach was reported earlier Friday by the Krebs On Security blog.
—Matthias Rieker contributed to this article.