Large breach of credit card processor serves as reminder data thieves always on the prowl
Over the weekend it was disclosed that Global Payments, Inc., one of the nation’s largest credit-card processors, had suffered a data breach that exposed up to 1.5 million credit cards to hackers. Global Payments said that it had “identified and self-reported” the breach upon discovering it in early March.
The company said that it is working closely with law enforcement agencies in responding to the breach and containing its scope. According to Global Payments, “Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.”
Significantly, Global Payments said that while credit card numbers were exposed, other important information — customer names, addresses, and Social Security numbers — were not breached. Credit cards have magnetic stripes that contain “Tracks” holding different types of information, and apparently the Global Payments breach involved “Track 2” data only. Track 2 data is sufficient to authorize credit card transactions, but has only numeric data. Track 1 information contains both numbers and letters, and can therefore contain a broader range of information (such as names and addresses).
Credit-card giant Visa responded by removing Global Payments from its list of approved processors. The breach was reportedly the second one Global Payments has suffered in the last year. Starting in 2007, Heartland Payment Systems suffered a data breach that exposed the data on 130 million credit cards. Heartland estimated that its legal fees, fines and settlements relating to the breach cost it approximately $140 million.
News articles about the breach have informed readers of the many players in the credit-card system. In addition to the “Card Brands” (Visa, MasterCard, et. al.) themselves, credit-card processors and “issuing” and “authorizing” banks also have access to sensitive financial information. In view of the huge volume of sensitive data that courses through the system, the number of organizations that have access to that data and the ready market for stolen credit card information if its encryption can be broken, it is not at all surprising that hackers direct their efforts toward finding weaknesses in the system.
About the Author
John Doernberg is a Vice President at WGA. He is a resource for WGA clients, with a particular focus on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, he practiced law for more than ten years at major firms.