Today The Official Merchant Services Blog is updating its coverage of the Global Payments Data Breach. The current update revolves around the expansion the duration of the breach as well as the number of cards potentially affected. It has been a virtual roller coaster ride in terms of narrowing down a number for the cards that were compromised. When the news of this breach initially hit on Friday, March 30 there were reports that a mere 50,000 cards were compromised. Then at the height of the story’s initial frenzy it was reported that the number of compromised cards might be closer to 10 million. Attempting to quash that frenzy, payments processor Global Payments Inc. itself released a statement that the number was closer to 1.5 million cards. And now, after some relentless coverage and work by Brian Krebs — the blogger who first reported the breach — it appears the number is once again creeping back towards the 10 million mark.
“That’s No Moon”
The size of the Breach keeps expanding after Global Payments initially made statements that downplayed both its size and its impact.
Global’s statements have all been very succinct, and the company says it reported the breach immediately when it found out about the breach. Global also stated that the breach is contained and only affected 1.5 million cards or less when it occurred in February 2012.
But Visa and MasterCard issued new alerts on May 15 and suggest the breach dates back to January 2011 — an exposure window significantly longer than what was originally reported when news of the breach surfaced in late March. Visa’s alerts in March, which Brian Krebs used to break the story, indicated the breach occurred sometime between Jan. 21, 2012, and Feb. 25, 2012. Global used those alerts to help underscore their assertion that the breach was small and contained. But on April 26, an updated advisory from Visa put the suspected intrusion date closer to June 7, 2011. Setting the length of exposure for compromised cards back six months. And then Visa and MasterCard released information that pushed the date back an entire year from the initial alert, to January 30, 2011. This vaults the figure of compromised cards to 7 million — much higher than the 1.5 million “or less” suggested by Global in their official statement.
All this wiggling over the timeline and severity of the breach has been met with silence from Global Payments. They have offered no further comment other than to link to their website.
So About Those Compromised Cards …
And apparently the Breach may not have been contained, or at least not contained quickly enough to prevent fraud. Krebs says on his blog, krebsonsecurity.com, “Debit card accounts stolen in a recent hacker break-in at card processor Global Payments have been showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud.”
This is a pretty big break in the ongoing story, as details of fraud have been danced around previously and Global’s not released any statements other than their initial commentary that suggested the breach was not going to produce any meaningful fraud. Krebs says that in March of this year the Danbury, Conn. based Union Savings Bank began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued, noting that most of the cards had recently been used in the same cafe at a nearby private school. The bank noted that the school was a customer of Global Payments and so the bank contacted Visa to see if this was related to the breach.
According to Krebs, that’s when USB heard from Tony Higgins, then a fraud investigator at Vons, a grocery chain in Southern California and Nevada owned by Safeway Inc. Higgins contacted Doug Fuller, Union Savings Bank’s chief risk officer. And Krebs’s blog describes the way the fraud worked: “According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.”
Krebs then goes on to report that the fraud described by Higgins matched the unauthorized activity seen stemming from accounts used at the private school cafeteria. Fuller said Visa alerted Union Savings Bank that about 1,000 of its debit accounts were compromised in the Global Payments breach — including the dozen or so card accounts that initially prompted USB to investigate. Krebs reports that USB officials say the bank has suffered approximately $75,000 in fraudulent charges, and that it has so far spent close to $10,000 reissuing customer cards.
Track 1 Not Needed
The details revealed by Krebs on the fraud perpetrated upon Union Savings Bank illustrates how the criminals can extract value from debit cards even if they only have some of the data associated with the accounts. This is important to understand because Global’s statements have stated that only Track 2 data was taken during the breach. Global maintained that cardholder names, addresses and other Track 1 data was not obtained by criminals in the breach. The indirect suggestion Global was making with that statement was that counterfeit cards could not be produced with the data obtained in their breach. However, the details of what happened to USB shows how Track 2 data alone was enough for the criminals to encode the card number and expiration date onto any cards equipped with a magnetic stripe. Those cards were then capable of being used at any merchant accepting signature debit — transactions that do not require the cardholder to enter a PIN number.
Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available? PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.
Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.