Global Payments Breach Details Fuzzy2 Weeks Later, Questions About Timing, Vulnerabilities Remain
Global Payments Inc. has released few new details in the two weeks since the third-party processor revealed it was the source of a breach that likely exposed card data for about 1.5 million credit and debit accounts.
See Also: The Power and Scale of XDR
Meanwhile, Gartner analyst Avivah Litan, one of the first fraud experts to comment on the breach, is among those questioning whether the security vulnerabilities that led to the breach may have been long-standing issues for Global.
"I don't think the full story has been disclosed," she says.
The breach investigation could take months to complete. Litan believes Global Payments is using the investigation as an excuse to reveal few, if any, new details.
Based on what Litan has learned from card issuers and others in the industry, she believes a second breach at a third-party - perhaps a processor or merchant - connected to Global also may have been involved.
Visa issued an advisory about five weeks ago about a processor breach occurring sometime between Jan. 21 and Feb. 25, according to Litan and security blogger Brian Krebs, who broke the story March 30. A MasterCard advisory noted the same dates, according to card issuers who have talked with BankInfoSecurity. Those advisories spurred Global to publicly acknowledge it had been breached.
But the dates listed in the advisories and the information released by Global during its April 2 analyst call don't jibe. Global said during the call that it notified the card brands as soon as it detected the breach in early March. The processor said it believes it discovered the breach soon after it occurred, not one or two months later.
"My educated guess is that the Visa advisory that came out about a breach is related to the breach Global disclosed, but I do not think it is the same one Global described," Litan says.
One card issuer executive, who's been in contact with BankInfoSecurity since the story broke, says the issuer has tracked back to December fraud that it believes is linked to Global Payments.
This card issuer executive, however, contends that the Global breach is probably relatively insignificant. "There are so many breaches going on at any one time, it is always difficult to tag all of the potential losses just to Global," says the executive, who asked to remain anonymous.
"From a large breach perspective, this breach has not been that big of a deal," the executive contends. Other, smaller breaches that get much less hype in the media often lead to more significant financial losses.
"While we have [had] some fraud get through [because of the Global breach], we have been successful in declining the majority of it," the executive says.
Updates From Global
On April 9, Global Payments made some minor revisions to a section of its website, where information for consumers and merchants affected by the breach was made available starting April 2.
For example, the site now includes more information about what it means when a processor falls out of compliance with the Payment Card Industry Data Security Standard and how merchants and consumers can learn more about how they may have been affected by the breach.
Visa announced shortly after news of the breach broke that it had removed Global from its PCI-compliant list. MasterCard said this week that it was still investigating the breach and has not yet moved forward with action to remove the processor's PCI-compliant listing.
Global's website also appears to include more details about the type of data that was exposed, offering an explanation of the difference between Track 1 and Track 2 magnetic-stripe data. Global has reiterated that only Track 2 data, which does not contain any personally identifiable information about the cardholder, was exposed in the breach.
Some industry pundits have questioned Global's assurance about the type of data that may have been compromised. They wonder how Global can be so certain at this point in the investigation.
Garter's Litan, however, says she doesn't question Global's affirmation that only Track 2 data was exposed. The company, she argues, could say that with certainty at this point in the investigation, if, for instance, it does not collect or store Track 1 data.
When contacted about updates related to the breach, executives at Global Payments directed us to the corporate website, saying they had no additional information to add at this time.