Visa and Mastercard investigate data breach

By Jessica Silver-Greenberg and Nelson D. Schwartz New York Times
Posted:   03/30/2012 11:00:42 AM PDT
Updated:   03/30/2012 08:41:40 PM PDT

Visa and MasterCard are investigating whether a data security breach at one of the main companies that processes transactions improperly exposed private customer information, bank officials said Friday. The event highlighted a crucial vulnerability that could affect millions of cardholders.

The breach occurred at Global Payments, an Atlanta company that helps Visa and MasterCard process transactions for merchants. One bank executive estimated that about 1 million to 3 million accounts could be affected. That does not mean all those cards were used fraudulently, but that credit card information on the cardholders was exposed.

The bank official, who insisted on anonymity because the inquiry is at an early stage, said that Visa and MasterCard notified his company Thursday, but that banks had been frustrated with the pace of disclosure by Global Payments. He said that Global Payments, which is one of the biggest transactions processors, had provided little information on where the breaches took place, how accounts were hacked and other details that could indicate which customers might be vulnerable.

Banks said that when they could identify victims, they would notify them and replace credit cards, if necessary.

While far from the largest breach of credit card data in recent years, the latest incident, which is being investigated by major banks and federal authorities as well as the card companies, underscores concerns about thevulnerability of electronic financial data.

As financial services companies have improved security over the past year, criminals have aimed at a specific part of the credit card system: the payment processors that act as a bridge between banks and retailers. Security consultants say the sophistication of these attacks is increasing.

Bank officials said they were told by Visa and MasterCard that the breach occurred sometime from late January to late February, and included what is known as Track 1 and Track 2 data. That includes details like names, card numbers, validation codes and in some cases, customer addresses.

“Thieves are after high concentrations of credit card numbers, which makes payment processors the perfect target,” said Tim Matthews, a director at security firm Symantec.

The processors, including Global Payments, act as the plumbing from merchants to banks, authorizing millions of transactions each day.

With each swipe of a credit card, the card number and other important financial information travels from the merchant to the third-party processors and then to Visa or MasterCard. The data is then forwarded to the bank that issued the card.

The holy grail for hackers is the account information. The goal is to break the data’s encryption as it travels through the payment processor system, said Avivah Litan, a vice president and analyst with Gartner Research, a security firm.

This is the second breach at Global Payments in the past 12 months, according to two individuals briefed on the investigations who spoke on the condition of anonymity because they were not authorized to speak publicly. Another similar attack was disclosed by Heartland Payment Systems in 2009, a breach that began in 2007 and resulted in the exposure of data on 130 million credit cards. Heartland estimated that breach cost it $140 million in fines, settlements and legal fees.

The new possible breach was reported Friday morning by a blog called Krebs on Security. Trading in Global Payments shares was halted about noon but the share price had already dropped 9.1 percent to $47.50.

A spokeswoman for Global Payments declined to comment on whether hackers had struck before. In a statement Friday afternoon, the company said it had identified “unauthorized access into a portion of its processing system,” and had asked for help from external experts in computer security and also contacted federal law enforcement. The Secret Service, which investigates credit card fraud, confirmed that it was looking into the breach.

“It is reassuring that our security processes detected an intrusion,” said Paul R. Garcia, chief executive of Global Payments. “It is crucial to understand that this incident does not involve our merchants or their relationships with their customers.”

Electronic payment industry officials also said the latest data thefts were not evidence of a larger problem. “These folks work night and day to secure their systems, but they are connected to millions of merchants around the country and nothing is absolutely foolproof,” said Thomas Goldsmith, a spokesman for the Electronic Transactions Association, a trade group.

MasterCard would not say how many cardholders might have been affected by the attack. The card companies also said they had alerted banks and law enforcement officials to the breach, and emphasized that their own systems had not been compromised.

Share

No comments yet.

Leave a Reply

Twitter widget by Rimon Habib - BuddyPress Expert Developer