Global Payments: Personal Data Exposed?Breached Processor Updates, Expands Scope of Incident
Global Payments Inc., the breached payments processor, now says the scope of its self-discovered data breach may be broader than initially reported.
In a June 12 update posted to its breach microsite, Global says hackers may have gained access to servers containing personal information collected from a subset of merchant customers.
"The company will notify potentially affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost," Global says. "The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the company's U.S. merchant applicants."
Global goes on to say it believes the exposure of personally identifiable information is contained and that it has made "substantial progress in its investigation and remediation efforts."
The Global Payments breach first came to light through news reports at the end of March, and on April 2 Global acknowledged the breach, which it said was confined to North America and involved fewer than 1.5 million payment cards. Global said that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals.
Phishing Info Offered
In addition to the latest breach update, Global also has included new information on its 2012 InfoSecurityUpdate microsite about ways merchants and consumers can protect themselves from falling victim to phishing schemes and card fraud.
On a page dedicated to common phishing scams, the company states: "Global Payments is aware that individuals attempting to perpetrate fraud via e-mails and phone calls may be using the Global Payments name to deceive merchants and consumers. Stay alert and watch for phishing e-mail scams and fraudulent phone calls. Criminals may pose as someone investigating a fraud situation and ask you to confirm account or personal credentials."
Similarly, on a page dedicated to common card fraud and identity theft schemes, Global says consumers who suspect their accounts have been compromised should contact their card-issuing financial institution. "The company sincerely apologizes for any concern this has caused cardholders, and please know that we continue to work with industry third parties, regulators and law enforcement to assist in all efforts to minimize cardholder impact," the update states.
Global also has updated security tips for merchants, clarifying details about the potential unauthorized access to personal information collected from a subset of merchants. "It is unclear whether intruders looked at or took any personal information from the company's systems," the update states.
"The situation only involves systems at Global Payments and does not involve merchant systems, our partners or banks. Merchants do not need to change their points of sale or other systems to continue processing transactions through Global Payments. There is no operational impact to merchants, their partners or the merchants' relationships with their customers," Global adds.
More Details in July
Global says it expects to provide more details about the financial impact of the breach, the investigation and progress it has made on efforts to get back in to compliance with the Payment Card Industry Data Security Standard on or before its July 26 year-end earnings call.
"We sincerely apologize for this incident and are working diligently to conclude our investigation," said Global Chairman and CEO Paul Garcia in the statement. "We are committed to fully resolve any issues arising from this matter and we, of course, continue to provide uninterrupted transaction processing for our customers worldwide."
Global says it continues to believe the breach exposure is limited to North America and only exposed credit and debit details on 1.5 million accounts. But the company adds that it has provided additional numbers to the card brands, "to enable them to proactively monitor card activity."
In May, some sources suggested the breach may have exposed closer to 7 million accounts. But card issuers have said connecting all the fraud dots back to Global has proven challenging.
Card issuers have told BankInfoSecurity that fraud linked to the Global breach does not suggest a breach of large magnitude. The issuers do, however, agree the timeframe of the breach exceeds the Jan. 21, 2012, to Feb. 25, 2012, window originally reported via Visa advisories (see Global Breach: Did It Start in 2011?).
Global has not offered precise information about the timeline, and has consistently declined comment beyond what is posted on its website.