Today The Official Merchant Services Blog is updating its coverage of the Global Payments Data Breach. The big bomb Global just dropped is that apparently there was a second data breach.
The story, initially broken by Ellen Messmer at Network World stated that Global Payments itself revealed this latest news.
Data Breach II: Credit Card Boogaloo
From the Global Payments Website: “The Company’s ongoing investigation recently revealed potential unauthorized access to servers containing personal information collected from a subset of merchant applicants. It is unclear whether the intruders looked at or took any personal information from the Company’s systems; however, the Company will notify potentially-affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost. The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the Company’s U.S. merchant applicants.”
So What Was Compromised?
This second breach compromised the personal information of a subset small merchants that applied to be clients of Global Payments — and the company stressed that this set of merchants was different than the ones exposed in the first breach. The exposed information includes the sort of personal information the Atlanta processor uses as part of its underwriting process. The company stressed that it does not have evidence that any fraudsters obtained or misused the merchant applicants’ information — but the servers that contained that information were possibly accessed by an unauthorized party. Last time we updated this story, we provided information from Brian Krebs about how information from the first data breach could have been used by fraudsters.
Something to keep in mind regarding Global’s claims that the second breach did not lead to fraud is that Global still maintains that the information that was compromised in its first breach was not involved in fraud — even after Krebs dug up examples of fraud happening to Global customers in his blog entry here.
Wait, What?
The author of the official updated statement released by Global — Jane Elliot from Investor Relations — added this caveat to the statement: “This announcement may contain certain forward-looking statements within the meaning of the ‘safe-harbor’ provisions of the Private Securities Litigation Reform Act of 1995. Statements that are not historical facts, including management’s expectations regarding future events and developments, are forward-looking statements and are subject to significant risks and uncertainties. Important factors that may cause actual events or results to differ materially from those anticipated by such forward-looking statements include the following: further results of the continuing investigation of the unauthorized access of our processing system, including the discovery of additional card data or information implicated in the incident; the effect of our remediation efforts on operations; the impact of fines or penalties from the card networks and state authorities on our results of operations; and other risks detailed in the company’s SEC filings, including the most recently filed Form 10-Q or Form 10-K, as applicable. The company undertakes no obligation to revise any of these statements to reflect future circumstances or the occurrence of unanticipated events.”
That reads like a very wordy hedge against the way this story has evolved to date. To put it another way, much of what Global has already stated, including clinging to the claim that the breach is contained and the number of compromised cards was just 1.5 million, has already been contradicted by information revealed by Visa and MasterCard.
Visa and MasterCard issued new alerts on May 15 suggesting the breach dated back to January 2011 — an exposure window significantly longer than what was originally reported by Global when news of the breach surfaced in late March. Visa’s alerts in March, which Brian Krebs used to break the story, indicated the breach occurred sometime between Jan. 21, 2012, and Feb. 25, 2012. Global used those alerts to help underscore their assertion that the breach was small and contained. But on April 26, an updated advisory from Visa put the suspected intrusion date closer to June 7, 2011. Setting the length of exposure for compromised cards back six months. And then Visa and MasterCard released information that pushed the date back an entire year from the initial alert, to January 30, 2011. This vaults the figure of compromised cards to 7 million — much higher than the 1.5 million “or less” suggested by Global in their official statement.
All this contradiction over the length and severity of the breach had been met with silence from Global Payments. They had offered no further comment other than to link to their website. But with this latest batch of statements, they’re now adding that very long caveat. And they apparently intend to clear matters up even further in June. The Company plans to provide additional information regarding the potential financial impact, the PCI compliance process and the status of the investigation not later than its July 26, 2012 year-end earnings call according to Paul R. Garcia, chairman and CEO of Global Payments.
The Official Merchant Services Blog will be following this story as close as ever now. It’s getting more complicated and convoluted. Hopefully that earnings call will clear the air a bit. But it still seems like the reporters digging into this, as well as Visa and MasterCard have a very different set of facts than the ones Global is sharing with people.