Global Payments breach raises questions
Company's description of breach leaves some gaps
Computerworld - Payment processing vendor Global Payments Inc. held a conference call Monday to explain a computer intrusion that exposed data on at least 1.5 million credit and debit card holders, but many questions about the breach were left unanswered.
The Atlanta-based company, which processes payment card transactions for thousands of merchants, first reported the compromise Friday when it issued a brief statement saying that intruders had gained access to a portion of its processing system. It later updated the statement to say that data belonging to about 1.5 million card holders, had been "exported" from its systems.
The company's disclosures came after the Wall Street Journal on Friday identified Global Payments as the victim of a major data breach. The breach was originally reported by security blogger Brian Krebs. Krebs' report did not name Global Payments and was based on an internal alert from Visa and MasterCard warning card-issuing banks about a breach at an undisclosed payment processor involving about 10 million debit and credit cards.
In a conference call with investors, Global Payments Chairman and CEO Paul Garcia said the data theft was confined to the company's North American processing system. The breach did not involve any merchant systems or systems belonging to sales partners, he said.
"Neither merchant systems nor point-of-sale devices were involved in any way," Garcia said, according to a transcript of Monday's call.
"Importantly, investigation to-date has revealed that the theft involved Track 2 card data only. We do not believe Track 1 card data was taken or that cardholder names, addresses, Social Security numbers for consumer banking information was obtained by the criminals," Garcia said, repeating the company's earlier statement on the breach. Based on an investigation of the intrusion, "we believe that this incident is contained," he said.
The company's description of the breach leaves some questions unanswered, said Avivah Litan, an analyst at Gartner. "It seems obvious that they were breached... but they didn't come out and say it straight," Litan said. "All they said is what was not involved. That's the mystery here."
There also appears to be a discrepancy between Global Payments' description of the data that was compromised and the descriptions offered by MasterCard and Visa. According to the alert sent out by the credit card companies to card-issuers, the compromised data included both Track 1 data, which includes personally identifiable information such as the card holder's name and account number, and Track 2 data, which involves information such as the card's expiration date and the account number. However, Global Payments has insisted that only Track 2 data was compromised.
"This discrepancy just raises more questions. We still don't have all the information," Litan said.
A Visa spokesman said the company does not comment on private internal communications regarding ongoing investigations.
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
- Amazon.com security slip allowed unlimited password guesses on mobile apps
- Huge turnout at RSA shows hackers are winning
- 360 million account credentials found in the wild, says security firm
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts