Following up on our continuing and extensive coverage of the Global Payments Data Breach, The Official Merchant Services Blog has some new tidbits to report from the man who initially broke the story — Brian Krebs.
Krebs felt he needed to respond to the Global Payments conference call delivered by company chairman and top executive Paul Garcia.
In that call Garcia said, “There’s a lot of rumor and innuendo out there which is not helpful to anyone, and most of it incredibly inaccurate. In terms of other timelines, I just cannot be specific further about that.”
Krebs took that ambiguous commentary as a specific reference to his own reporting of the incident — notably that Krebs’ reports offered a different timeline than the one Global had been offering, Krebs’ reports offered a culprit in the data breach (citing Dominican Street Gangs and a New York City cab company and garage), and Krebs’ reporting suggested that at least 876 fraudulent cards had already been discovered as having been in use as a result of the breach while Global stated no fraudulent transactions were linked to the breach.
So there were definitely some differences in what was being reported by Krebs and being discussed, however grudgingly and tight-lipped, by Global in its official statements. It had gotten to a point of such discrepancy that Krebs was entertaining the idea that the Global breach wasn’t the breach he had initially reported. Krebs believed there might be another breach, still unverified, that fit his reporting better. As Krebs wrote on his blog: “Indeed, given GPN’s statements thus far, I continue to be nagged by the possibility that my initial reporting may have been related to a separate, as-yet undisclosed breached at another processor.”
But until another breach actually surfaces, Krebs continues to treat the Global breach as the one he had heard about and reported.
The Number Skew
The first topic Krebs addressed in response to Global’s statements and commentary was the number of compromised cards that Global reported versus the number of compromised cards the Wall Street Journal initially suggested. Krebs notes that the language Global is using in reference to the numbers is distinct and different from the language other companies have used in the past in terms of previous data breaches.
From an abcnews.go.com article: “Brian Krebs, the security expert who reported about Visa and MasterCard’s security breach on Friday, said GPS is only stating how many accounts it believes were ‘exported,’ which focuses on the number of accounts or card numbers that a forensics expert could reasonably argue were offloaded or downloaded from the company’s systems. “What GPS has not said is how many transactions they processed — and potentially compromised — during the time between when they discovered the breach,” Krebs said, which was early March, according to Global Payments, “and when they ‘contained’ the breach [in late March].” Krebs said the number of transactions or card numbers potentially exposed while the company was actively compromised ‘is probably far larger than the 1.5 million number they are citing in their statements, because those statements appear to be based on a figure that the company can say with relative certainty were downloaded or copied from its systems.’ “
Change in Web Hosting
The next tidbit Krebs offered was that Global changed its web hosting company in February: “For the past two years, GlobalPaymentsInc.com has been hosted at MaximumASP, a hosting provider in Louisville, KY. On Feb. 20, 2012, the company moved its Web site toAmazon’s EC2 cloud hosting service. MaximumASP declined to answer questions about possible reasons for the switch, citing customer confidentiality policies.”
This change in hosting appears to take place in the timeline that Krebs has offered as when the breach happened, and just a short time prior to the time when Garcia says the company discovered they had been breached.
Data Breach Chart From Visa
The next tidbit Krebs offered was a chart detailing the anatomy of a data breach. Krebs felt it was significant to note that there is a time period that Visa calls the “window of vulnerable transactions.” And Krebs also notes that the chart shows that discovery of the breach may or may not happen after the start date of the breach. All of this is an attempt to further investigate the timeline that Krebs is trying to construct even in the face of Global’s vague commentary about said timeline.
Hacker Makes Bold Claims
The last tidbit Krebs pointed out was that there are reports that the breach was far more extensive than was being reported.
Krebs cites a New York Times article: “The New York Times in a story published Saturday cited unnamed sources saying that this was the second time in a year that Global Payments had experienced a breach.”
Krebs then backs that claim up with a source of his own: “I have heard likewise from an anonymous hacker who claims the company was breached just after the new year in 2011. The hacker said the company’s network was under full criminal control from that time until March 26, 2012.”
Krebs’ hacker source also claimed that hackers had been capturing data at regular monthly intervals from the company’s network for 13 months. They were gathering data on a total of 24 million unique transactions before they were shut out.
And Krebs tried to verify the authenticity of his source: “When asked if he had evidence that would back up his claims, the hacker produced a Microsoft Word document with Global Payments’s logo entitled “Disaster Recovery Plan TDS US: Loss of the Atlanta Data Center.” The document appears to have been created on May 6, 2010 by Raj Thiruvengadam, who according to LinkedIn.com was an Atlana-based Oracle database administrator for Global Payments from May 2006 through August 2011.”
What it all Means
Well at its most basic, there is a discrepancy between the information Global is releasing and the information that Krebs is uncovering. There very well may be a separate breach that Krebs was given the information on. As Krebs noted himself, in his initial report he did not mention Global at all. There also may be a separate or longer breach that happened to Global. Or it might be as Krebs suggested to ABC News, a purposely chosen metric for the numbers that doesn’t take into account something like “window of vulnerable transactions.”
Krebs and Global will most likely be advancing this story throughout the week and The Official Merchant Services Blog will keep you up to date on those details.