MasterCard and VISA warn of massive data breach, impact unknown

Posted Mar 30, 2012 by Leigh Goessl
A massive data breach has occurred involving MasterCard and VISA cardholders. It is possible 10 million credit card holders may be impacted by this significant breach.
A collection of various credit cards
A collection of various credit cards
by Shoot Art, Not Each Other
According to Krebs on Security, which broke the news about the breach, VISA and MasterCard are alerting U.S. banks about the breach that involved a third-party credit card processor.
Reportedly, the compromise occurred between Jan. 21, 2012 and Feb. 25, 2012. The data taken can be used to create counterfeit credit cards, Krebs refers to this as "Track 1 and Track 2 data."
It appears the name of the card processor involved in the data breach was not immediately available as this story was breaking, however the Wall Street Journal has reported Global Payments Inc. is the processor involved, according to unnamed sources "with knowledge of the situation."
The sources said that the full extent of the breach could not be determined, however 50,000 cardholders at risk from this exploit was suggested, although Reuters also noted the 10 million figure. Realistically, this early in the investigation it is possibly not known the extent of the breach.
Global Payments Inc. is an Atlanta-based company that is a third party processor of credit, debit and gift cards; this role is a 'middleman' that manages transactions between consumers and the banks issuing the cards.
Banks and law enforcement officials have been alerted and an investigation is ensuing. Reportedly, an independent data-security organization is conducting a forensic investigation and Forbes reported the U.S. Secret Service is involved.
Both MasterCard and VISA have said their internal systems have not been compromised in any way.
Mastercard issued a statement (courtesy of Reuters) which said, "MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information. If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution."
An update on Krebs on Security just before noon today reported VISA also issued a statement which said, “Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet. Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards."
It is not known how extensive the exploit may be currently impacting MasterCard or VISA users in terms of any fraudulent transactions as a result of this substantial data breach, although Krebs said, “Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area."
Avivah Litan, a fraud and security expert at Gartner Research, said, "I’ve spoken with folks in the card business who are seeing signs of this breach mushroom. Looks like the hackers have started using the stolen card data more recently. From what I hear, the breach involves a taxi and parking garage company in the New York City area so if you’ve paid a NYC cab in the last few months with your credit or debit card – be sure to check your card statements for possible fraud."
At this time Global Payments has not yet released a statement.
Data breaches are an unfortunate reality of today's world, last year some sizeable breaches occurred affecting millions of people.
As this story is still unfolding, it is not known how many credit and debit card users will be impacted once more information is gleaned by those investigating. The damage could be in the tens of thousands or in the tens of millions of people affected, either way, still a significant data breach. Additionally, exactly what kind of information may have been breached is not clear.
Verizon's 2011 Data Breach Investigation Report was released last week which illuminated many different statistics associated with data breaches, including 98 percent of incidents stemmed from external agents (+6%).
Update March 31 8:30 a.m.
Global Payments Inc. has issued a statement which indicated the company had detected the breach in early March and notified the industry parties involved and the appropriate authorities.
“It is reassuring that our security processes detected an intrusion. It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” said Chairman and CEO Paul R. Garcia.
A conference call will be held on Apr. 2. at 8 a.m. EDT. For information on how to attend this call, please see details in the company's statement.