Global Payments: data theft compromised fewer than 1.5 million cards
In its latest statement, payment processing firm Global Payments says that no more than 1.5 million credit card numbers were harvested during the intrusion into its systems disclosed earlier this year. The incident only affects North American Visa and MasterCard customers.
In April, the US payment processing services provider publicly acknowledged that unknown attackers had intruded into its computer systems and gained unauthorised access to a large amount of credit card data. The security breach was originally believed to have taken place between 21 January and 25 February of this year, but was later thought to go back as far as January 2011.
Global Payments says that the evidence discovered as part of its "continuing forensic investigation" suggests that the information stolen by the attackers was limited to Track 2 data. This type of track data on the magnetic stripe of a credit card includes numerical data such as the card number and the expiry date but doesn't include information like the card owner's name.
Additionally, Global Payments says that it believes that not all of the nearly 1.5 million cards have been compromised. However, the payment processing company has notified credit card companies of all potentially affected numbers so that they can "proactively monitor cardholder activity"; Global Payments has previously said that it might pass on further card numbers for monitoring purposes.
The company goes on to say that it is still unsure whether the intruders also accessed any "personal information" related to merchant applicants on its servers. Although it hasn't ruled out the possibility: according to the announcement, "potentially-affected individuals" will be contacted in the coming days with "helpful information" and will be offered "identity protection insurance" free of charge.
Paul R. Garcia, the Chairman and CEO of Global Payments, has apologised for the incident and said that his company is working diligently to conclude its investigations. At the end of its fiscal year in July, the company plans to present its shareholders with a final report on the incident. Once investigations are complete, the payment processing firm plans to reapply as a "PCI DSS Compliant Service Provider" with MasterCard and Visa: after the incident was made public, the credit card companies revoked Global Payments' certification.