Today The Official Merchant Services Blog is updating its coverage of the Global Payments Data Breach. The news of this breach hit on Friday, March 30. At first there reports of a mere 50,000 cards were compromised. Then at the height of the frenzy it was reported that the number might be closer to 10 million cards. Quashing the frenzy, Global itself released a statement that the number was closer to 1.5 million cards. And now it seems the dispute over the timeline as well as the number of cards continues.
Back to the Future
Christopher Brook writes on ThreatPost that the data breach that hit payment processor Global Payments earlier this year could have dated back to June 2011, launching speculation over whether more credit card numbers were stolen than initially reported.
Brook’s source is the initial source of the news about the Breach, Brian Krebs and his blog krebsonsecurity.com. Krebs writes: “A hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week.”
Krebs explains that Visa and MasterCard send periodic alerts to the banks about cards that may need to be re-issued following a security breach at a processor or merchant. He states that it was these alerts that got him on the story to begin with, and ultimately report the breach. He then says, “Since those initial alerts, Visa and MasterCard have issued at least seven updates, warning of additional compromised cards and pushing the window of vulnerability at Global Payments back further each time.”
The timeline has been the trickiest part of the story as Global’s statements have been very succinct. The processor has stated that it reported the breach to the proper authorities when it found out about the breach. The company maintains that the breach is contained, and only affected 1.5 million cards or less and occurred in February 2012.
Krebs has been reporting that the timeline was larger and that suggests that more than 1.5 million cards could have been compromised. Krebs gives his own take on the timeline: “Initially, MasterCard and Visa warned that hackers may have had access to card numbers handled by the processor between Jan. 21, 2012 and Feb. 25, 2012. Subsequent alerts sent to banks have pushed that exposure window back to January, December, and then August. In an alert sent in the last few days, the card associations warned issuers of even more compromised cards, saying the breach extended back at least eight months, to June 2011.”
Krebs notes that the expanding timeline is most likely a result of the forensic audit and investigation that is being done on the data breach.
Blunder Reported From Down Under
Spreading our internet net far and wide, The Official Merchant Services Blog was able to find this story from Dan Kaplan reposted at the Australian CRN site. The story, that originally appeared on SC Magazine’s site, reports that Global admitted to being ditched from PCI lists. Kaplan reports: “For the first time, breached processor Global Payments disclosed on Tuesday that a number of card brands have removed the company from their approved list of Payment Card Industry (PCI)-compliant service providers. However, the US-based firm continues to process transactions for all of the major card brands as it seeks rejoin those lists, it said in an update.”
The story then reiterates Global’s continued commentary about how they immediately reported the breach, how it only affected 1.5 million cards or less and how the company continues to decline to elaborate on any further details about the attack while it cooperates with authorities to get the investigation resolved.
Kaplan then cites a Visa spokesman saying Visa has asked Global Payments to re-validate its compliance to PCI by using a qualified security assessor, or QSA. Retailers that use the company’s services will not be liable for penalties during that time.
Still no word on the involvement of Dominican Street Gangs in this breach or the early reports that the breach was caused by Taxi Cabs and a garage in New York using Global’s payment processing technology. The Official Merchant Services Blog will continue to keep its readers updated on the twists and turns taken in this ongoing story.