Is Global Payments the Only Breach?Experts Cite Differences in Alerts, Processor's Statements
Has there been a second, undisclosed payment card data breach?
See Also: The Global State of Online Digital Trust
In the wake of the latest revelations about the Global Payments Inc. breach, some fraud analysts wonder whether they might be seeing signs of a separate breach. [See Company Snapshot: Global Payments Inc..]
In an April 2 conference call, Global Payments CEO Paul R. Garcia said the payments processor self-discovered and reported its breach in mid-March; that it involves fewer than 1.5 million accounts; that only Track 2 data was stolen; and that, to date, no fraudulent transactions have been tied back to the breached data.
But Gartner analyst Avivah Litan says this statement does not jibe with information contained in a recent Visa alert, which suggested Track 1 and Track 2 data had been exposed. Unless details have changed since the time Visa issued its alert and the Global Payments press conference Monday, she questions whether Global Payments is the only breach.
"The information we have so far came from Global Payments," she says. "They made a big point to say no merchant systems were involved, and that goes against what some of the other sources, that are credible, have said."
In a blog entry posted Monday, Litan suggests a separate breach may have occurred.
"Their breach seems to be very different than the one Visa issued an alert on," Litan writes. "Information presented on the timing windows were different and not reconciled during the Global Payments call."
Visa's advisory, according to Litan and security blogger Brian Krebs, who broke the Global Payments story on March 30, puts the breach reported by Visa occurring sometime between Jan. 21 and Feb. 25. But Global Payments says it detected and immediately reported its breach in early March.
Also, according to Litan and Krebs, Visa reported Track 1 and 2 data stolen, while Global Payments reported only Track 2. "And the reports on fraud (Global Payments said they had not heard about fraud on the stolen cards) are different," Litan says.
Krebs, who also blogged about Monday's revelations, says he wonders whether a second breach may have occurred: "Given GPN's statements thus far, I continue to be nagged by the possibility that my initial reporting may have been related to a separate, as-yet undisclosed, breach at another processor."
Or, as Litan concludes, "Sounds like there's a lot more going on out there than the payment industry and law enforcement have nailed down and are prepared to talk about."
Global Payments says no merchants were breached and that the unauthorized access was confined to some North American servers. But several sources, including card-issuing banks, report links to questionable transactions conducted with New York-based taxi and parking services.
One card-issuer executive, who asked not to be identified, told BankInfoSecurity the Global Payments breach was likely the primary source of these compromised card transactions. "There are always multiple issues going on at once, as we are currently dealing with several smaller merchant compromises on top of Global. But from what we are seeing, I believe Global is the primary processor issue," the source said.
The source also said he did not believe Visa's date range of Jan. 21 to Feb. 25 was wide enough: "I think it should be expanded from at least December to March. This statement is made based on our review of current trends where Global compromised accounts are currently hitting business/consumer credit cards aggressively, and we are seeing those same trends, with usage in the same countries/states on accounts not yet reported as part of this breach. ... We identified the NY taxi/parking garage issue in late January for accounts using taxis/garages around the holidays, and Global, coincidentally, processes for a lot of these companies."
Cardholder, Merchant Resource
Following its conference call to discuss the breach, Global Payments established a new online resource, 2012infosecurityupdate.com, to notify the public and merchants about the breach and its developing impact.
"This incident will not adversely affect merchants or their relationships with their customers," the site says in its introduction. "That said, we also know you may have questions regarding the incident."
In addition to press releases about the breach, the site has separate sections for cardholder and merchant information.
For cardholders, Global Payments offers a series of tips, including, "What should I do if I think my card numbers have been compromised?"
For merchants, the site features an FAQ, including "Why should we continue to do business with Global Payments?" The answer:
"Global Payments continues to provide processing services 24 hours a day, 7 days a week at the same high level its customers have come to expect. With regards to this incident, we identified and self-reported the intrusion and believe that the impact of this incident to cardholders is both limited and contained."