VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.
Update, 4:32 p.m. ET: Atlanta-based processor Global Payments just confirmed that they discovered a breach in early March 2012. See their full statement and several other updates at the end of this story.
In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken – meaning that the information could be used to counterfeit new cards.
Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area.
It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised. PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed.
If any readers have more information about the source, cause or true size of this breach, please contact me.
Update, 11:52 a.m. ET: VISA just issued the following statement in response to this story:
“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet.
Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.
It’s important for U.S. Visa consumer cardholders to know they are protected against fraudulent purchases with Visa’s zero liability fraud protection policy, which exceeds federal safeguards. As always, Visa encourages cardholders to regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity. Additional consumer security tips are available at http://www.VisaSecuritySense.com.
Every business that handles payment card information is expected to protect the security and privacy of their customers’ financial information by adhering to the highest data protection standards. Visa also supports advanced security layers such as encryption, tokenization and dynamic authentication through EMV chip technology to further protect sensitive account information and minimize the impact of data compromises.”
Update, 12:15 p.m. ET: The Wall Street Journal is reporting that the breached processor was Global Payments Inc., which processes credit and debit cards for banks and merchants. Prior to the publication of this blog post, I had heard this name from one source, but did not include it in my story because I could not get confirmation from a second source. Global Payments has not returned calls seeking comment. CNN is reporting that the company’s stock (GPN) fell 9 percent today before trading was halted on its shares.
Also am hearing that law enforcement investigators believe that this breach may be somehow connected to Dominican street gangs in and around New York City. This comes from two reliable sources.
Additionally, sources are reporting that the bulk of the fraudulent activity appears to be centering around commercial credit and debit cards (those issued to businesses). More updates as this story develops.
Update, 12:54 p.m. ET: Gartner fraud analyst Avivah Litan adds a bit more perspective to this story, saying the people she is talking to with knowledge of the situation say they are “seeing signs of the breach mushroom.”
Update, 4:34 p.m. ET: Atlanta based processor Global Payments just confirmed the breach via press release. It promised to release more details in a conference call with investors on Monday morning. Their full statement is below:
“Global Payments Inc. (NYSE: GPN), a leader in payment processing services, announced it identified and self-reported unauthorized access into a portion of its processing system. In early March 2012, the company determined card data may have been accessed. It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact. The company is continuing its investigation into this matter.
“It is reassuring that our security processes detected an intrusion. It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” said Chairman and CEO Paul R. Garcia.
Global Payments will hold a conference call Monday, April 2, 2012 at 8:00 AM EDT. Callers may access the conference call via the investor relations page of the Company’s Web site at www.globalpaymentsinc.com by clicking the “Webcast” button; or callers in North America may dial 1-888-895-3550 and callers outside North America may dial 1-706-758-8809. The pass code is “GPN.”