The computer systems of a major credit card payment processing company called Global Payments have been hacked, reportedly compromising information on up to 1.5 million credit card account numbers.
Two of my credit cards (one MasterCard and one American Express) are among the numbers stolen, as proven by Amex and Citibank calling me to verify charges on my cards (2 through Yahoo, 1 to Google AdWords, and 1 to EasyJet) which I did not make. Those cards have been canceled.
I’m impressed by and grateful for how seriously and effectively the card companies and banks work to prevent fraudulent charges.
Although 1.5 million represents less than one percent of the total number of debit and credit cards issued to United States cardholders, don’t assume that your data is safe.
I encourage you to get online if you can to check activity on your credit cards and make sure the charges you see are valid, and keep checking for a few weeks. If you can’t or don’t check your activity online, make sure to check your statement very carefully when it arrives.
Generally, you will not be liable for charges you didn’t make, though if you wait a long time to report the charge to your card company, your risk of being stuck with the charge may increase.
One of the disturbing aspects of this story is that the public was only notified of this hack at the end of March (on Friday). The company became aware of the data breach in early March, and the breach itself apparently lasted for more than a month, from January 21, 2012 to February 25, 2012, according to the Krebson Security blog which has a good timeline of the release of information. However, the company claims that they discovered and reported the breach themselves; it was not found or reported first by customers or banks. They also say that they reported the breach to federal law enforcement immediately upon discovery in early March. Perhaps law enforcement asked the company not to disclose the breach to the public in order to try to make their initial investigations easier by not alerting the criminals to the fact that the data theft had been discovered.
Visa has dropped Global Payments from their list of approved providers.
Global Payments held a conference call on Monday morning to discuss the issue (as well as their earnings report.) The company has posted a webcast of the call. They claim that only “Track 2” data (relating to the tracks on the magnetic stripes on the backs of credit cards) was taken, and that other key information, including Social Security numbers, names, and addresses were not stolen. According to the Chicago Tribune, “A person improperly using Track 2 information can transfer the account number and expiration date of a card to a magnetic stripe on a fraudulent card and then try to use it to make online purchases. The attempt could be blocked, however, if an online merchant asks for the CVV code, or the three or four digits usually located on the back of card.”
If Track 1 data was also taken, which is possible, that would include the cardholder’s name.
It was disappointing to hear the company say that they were unaware of any fraudulent transactions on any of the stolen accounts. Perhaps someone at the company will read this blog note and change their answer…
The company is also launching a web site to update the public with information on the data breach. It should be operational later today at https://www.2012infosecurityupdate.com/
Global Payments stock (NYSE: GPN) plunged from $52 to $47.50 per share on Friday, and is down about another $1.50 to just below $46 in early trading on Monday.