Security breach hits US card processors, banks

Powered by SC Magazine
 

May affect more than 10 million cardholders.

Four giant card-payment processors and large US banks that issue debit and credit cards were hit by a data security breach after third-party services provider Global Payments discovered its systems were compromised by unauthorised access.

It was not immediately clear how many cardholders became victims of the breach, which affected MasterCard, Visa, American Express and Discover Financial Services, as well as banks and other franchises that issue cards bearing their logos.

US law enforcement authorities including the Secret Service are investigating and MasterCard said it has hired an independent data-security organisation to review the incident.

The shares of Atlanta-based Global Payments, which acts as a credit-checking middleman between merchants and card processors, were halted on Friday afternoon after dropping more than 9 percent on the news.

Analysts said any financial losses from the data breach would be shouldered by merchants, card issuers and Global Payments rather than Visa or Mastercard, which operate payment networks.

Global Payments said it determined that an unauthorised entity had accessed its systems and possible customer card data in early March.

Krebs on Security, a blog that first reported the incident on Friday, said accounts had been compromised for over a month, between January 21, 2012 and February 25, 2012.

Global Payments is holding an investor conference call Monday morning to discuss the issue.

This Global Payments breach is just the latest in a long string of incidents that have put the personal information of millions of credit and debit cardholders at risk.

Individual banks and processors said they had not yet determined the full extent of the breach, but Krebs on Security described it as a "massive" breach that may affect more than 10 million cardholders.

Some industry experts suggested the figure might be much less, perhaps on the order of tens of thousands.

Bernstein Research analyst Rod Bourgeois noted that Global Payments is a relatively small player in the transactions services industry, servicing 800,000 merchants with a 3.5 percent market share.

By contrast, the largest competitor, First Data, services millions of merchants, with 22.6 percent of the market.

JPMorgan Chase, as well as American Express and Discover, which issue their own cards, said they are monitoring customers' accounts and would issue new cards to anyone whose information may have been compromised.

Citigroup said it has been notified by processors of the breach. Bank of America declined to comment on the matter and Wells Fargo said it was too early to comment on the impact.

Banks and processors emphasised customers would not be held liable for any fraudulent charges that may occur.

Mike Simonsen, the chief executive of real-estate research company Altos Research, said he may have been a victim.

Simonsen said he was contacted by his bank, Bank of America, last week about his Visa card. Although there were no unauthorised transactions, the representative told him a vendor or law enforcement agency had flagged his account as compromised and so he would receive a new one.

"It was very unusual," he said.

Processing pipeline

Global Payments, which has about 3700 employees, was spun off from information-services firm National Data Corp in 2001.

For the fiscal year ended May 31, Global Payment reported revenue of $US1.9 billion, an increase of 13 percent from the year-earlier period. According to a company presentation in January, the company was projected to report fiscal 2012 revenue in the range of $US2.15 billion.

The company is scheduled to report fiscal third-quarter results on Wednesday and there had been the expectation Global Payments would report improving results. On Wednesday, Sterne Agee raised its price target for Global Payments to $US65 a share from $US58.

Global Payments is one of dozens of companies that operate along the payment-processing chain, between the time a person swipes a card to pay and the time the payment is delivered.

The account number, expiration date and possibly the cardholder's name is sent from the point of payment to a processor, which then connects to Visa, MasterCard, American Express or Discover. Information is then sent to the card issuer - often a bank - which ultimately authorises the transaction.

The actual transfer of money occurs later.

Processing companies, which perform millions of authorisations each day, are supposed to encrypt card information. But a breach could occur if someone gains access to the system and identifies a gap in the encryption.

The information that was likely collected illegally from Global Payments is called Track 1 and Track 2 data. A person improperly using the information can transfer the account number and expiration date to a magnetic strip on a card and then try to use the card on a website.

Thousands of US banks that issue credit and debit cards receive daily alerts regarding breaches through a system referred to as CAMS, said Thomas McCrohan, an analyst with Janney Capital Markets.

The illegal use of the data could be stymied if an online merchant asks for the three or four digits printed on a card known as the "CVV code."

"The systems can all be made tighter, but if they're too tight no transactions would ever be approved," said Edward Lawrence, a director at Auriemma Consulting Group, a payment systems consultant. "You still have to allow commerce to occur."

Rep. Mary Bono, a California Republican who chairs the House Subcommittee on Commerce, Manufacturing and Trade, condemned the Global Payments breach and urged Congress to adopt stronger data-security legislation this year.

"You shouldn't have to cross your fingers and whisper a prayer when you type in a credit card number on your computer and hit 'enter,'" she said in a statement.

Ripple effects

The Visa-Mastercard-Discover breach is the first major instance this year of consumer information put at risk by technological flaws or hacking, but there are plenty of examples of massive data breaches in recent years affecting banks, retailers, technology companies and payment processors.

Last June, Citigroup said computer hackers breached the bank's network and accessed data of about 200,000 cardholders in North America.

Sony also reported several recent attacks, including one last year in which hackers accessed the personal information on 77 million PlayStation Network accounts.

Google suffered a major attack on its Gmail accounts in 2011 that it said appeared to originate in China. Attacks against Gmail users involved direct attempts to compromise accounts by tricking users into revealing information - so-called "phishing" - or by gathering their passwords from other websites, rather than compromising Google systems, according to the company.

Separately, TJX Companies Inc and Heartland Payment Systems have had their systems compromised.

On Friday, retailers were already beginning to look for fraudulent purchases from the compromised card accounts stemming from the Global Payments breach. They will bear the financial brunt of those crimes under rules worked out with the card associations and issuers, analysts said.

"Our merchant community is sitting here girding itself and looking at their own fraud-prevention strategies and bracing for the influx of bad transactions," said Tom Donlea, managing director for the Americas at the nonprofit Merchant Risk Council.

"After Heartland and after the Sony breach, there was an increase in fraud activity."

(Reporting by Lauren Tara LaCapra, Carrick Mollenkamp and Jed Horowitz in New York, Joseph Menn in San Francisco, Ben Berkowitz in Boston, and Rick Rothacker in Charlotte, North Carolina; writing by Lauren Tara LaCapra; editing by Gerald E. McCormick, Andre Grenon and Phil Berlowitz)


Security breach hits US card processors, banks
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1461

Vote