Secret Service probes major credit card breach

Credit card breach at an Atlanta card-processor affects Visa, MasterCard, American Express, and Discover. The number of accounts affected by the security breach is not yet known. 

|
Shannon Stapleton/Reuters/File
A MasterCard logo is seen on a door outside a restaurant in New York in this2010 file photo. Federal authorities are investigating a potential security breach that has affected MasterCard, Visa, American Express, and Discover Card accounts.

The U.S. Secret Service is investigating a major cyber intrusion at an Atlanta-based payment processor that could expose millions of MasterCard, Visa, American Express and Discover cardholders to fraudulent charges.

Processor Global Payments Inc said on Friday it had found "unauthorized access" into its system early in March and notified law enforcement and financial institutions.

Payment network operators MasterCard Inc, Visa Inc , American Express Co and Discover Financial Services confirmed they were affected, along with banks and other franchises that issue cards bearing their logos.

A spokesman for the Secret Service said the agency is leading investigations into the case but declined to give any details.

Though Global Payments is far from a household name, middlemen s uch as the company are prized targets f or hackers because of the vast amount of sensitive financial information they handle.

The company's stock fell more than 9 percent on the news before trading was halted. It said it would discuss the breach in a phone call for investors on Monday.

It was not immediately clear how Global Payments was penetrated or how many accounts were exposed. Consumers who detect fraud usually can be reimbursed. That leaves merchants on the hook financially, though they could file claims against Global Payments.

Analysts said MasterCard and Visa are unlikely to face costs from the breach, but MasterCard shares fell 1.8 percent to close at $420.54 and Visa shares dropped 0.8 percent to $118.

The security breach is just the latest in a long string of incidents that have put the personal information of millions of credit and debit cardholders at risk.

Individual banks and processors said they had not yet determined the full extent of the breach, but the blog Krebs on Security, which first reported the breach, said it was "massive" and could affect more than 10 million cardholders.

Some industry experts suggested the figure might be much lower, perhaps on the order of tens of thousands. Bernstein Research analyst Rod Bourgeois noted that Global Payments is a relatively small player in the transactions services industry, servicing 800,000 merchants with a 3.5 percent market share. By contrast, the largest competitor, First Data, services millions of merchants, with 22.6 percent of the market.

JPMorgan Chase & Co, as well as American Express and Discover, which issue their own cards, said they are monitoring customers' accounts and would issue new cards to anyone whose information may have been compromised.

Citigroup Inc said it has been notified by processors of the breach. Bank of America Corp declined to comment on the matter and Wells Fargo & Co said it was too early to comment on the impact.

Banks and processors emphasized customers would not be held liable for any fraudulent charges that may occur.

Michael Simonsen, chief executive of real-estate research company Altos Research, said he may have been a victim.

Simonsen said he was contacted by Bank of America last week about his Visa card. Although there were no unauthorized transactions, the representative told him a vendor or law enforcement agency had flagged his account as compromised and so he would receive a new one.

"It was very unusual," he said.

Global Payments, which has about 3,700 employees, was spun off from information-services firm National Data Corp in 2001. For the fiscal year ended May 31, Global Payment reported revenue of $1.9 billion, up 13 percent from the year-earlier period. According to a company presentation in January, it estimated fiscal 2012 revenue at about $2.15 billion.

Global Payments is scheduled to report fiscal third-quarter results on Wednesday and a n improvement is expected. On Wednesday, Sterner Agee raised its stock price target for Global Payments to $65 from $58.

Global Payments is one of dozens of companies that operate along the payment-processing chain, between the time a person swipes a card to pay and the time the payment is delivered.

The account number, expiration date and possibly the cardholder's name is sent from the point of payment to a processor, which then connects to Visa, MasterCard, American Express or Discover. Information is then sent to the card issuer - often a bank - which ultimately authorizes the transaction.

The actual transfer of money occurs later.

Processing companies, which perform millions of authorizations each day, are supposed to encrypt card information. But a breach could occur if someone gains access to the system and identifies a gap in the encryption.

The information that was likely collected illegally from Global Payments is called Track 1 and Track 2 data. A person improperly using the information can transfer the account number and expiration date to a magnetic strip on a card and then try to use the card on a website.

Thousands of U.S. banks that issue credit and debit cards receive daily alerts regarding breaches, said Thomas McCrohan, an analyst with Jane Capital Markets.

The illegal use of the data could be stymied if an online merchant asks for the three or four digits printed on a card known as the "CV code."

"The systems can all be made tighter, but if they're too tight no transactions would ever be approved," said Edward Lawrence, a director at Auriemma Consulting Group, a payment systems consultant. "You still have to allow commerce to occur."

Rep. Mary Bono, a California Republican who chairs the House Subcommittee on Commerce, Manufacturing and Trade, condemned the Global Payments breach and urged Congress to adopt stronger data-security legislation this year.

"You shouldn't have to cross your fingers and whisper a prayer when you type in a credit card number on your computer and hit 'enter,'" she said in a statement.

The breach is the first major instance this year of consumer information put at risk by technological flaws or hacking, but there are plenty of examples of massive data breaches in recent years affecting banks, retailers, technology companies and payment processors.

Last June, Citigroup said computer hackers breached the bank's network and accessed data of about 200,000 cardholders in North America.

Sony Corp also reported several recent attacks, including one last year in which hackers accessed the personal information on 77 million PlayStation Network accounts.

Google Inc suffered a major attack on its Gmail accounts in 2011 that it said appeared to originate in China. Attacks against Gmail users involved direct attempts to compromise accounts by tricking users into revealing information - so-called "phishing" - or by gathering their passwords from other websites, rather than compromising Google systems, according to the company.

Separately, TJX Co Inc and Heartland Payment Systems Inc have had their systems compromised.

On Friday, retailers were already beginning to look for fraudulent purchases from the compromised card accounts stemming from the Global Payments breach. They will bear the financial brunt of those crimes under rules worked out with the card associations and issuers, analysts said.

"Our merchant community is sitting here girding itself and looking at their own fraud-prevention strategies and bracing for the influx of bad transactions," said Tom Donlea, managing director for the Americas at the nonprofit Merchant Risk Council. "After Heartland and after the Sony breach, there was an increase in fraud activity."

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Secret Service probes major credit card breach
Read this article in
https://www.csmonitor.com/Business/Latest-News-Wires/2012/0331/Secret-Service-probes-major-credit-card-breach
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe