Some Facts About Data Breach at Global Payments
Last Friday, the press began reporting about a major data breach at Global Payments, a large US card processor. As always in the early stages of such events, there were plenty of rumours and speculation with various sources reporting stolen card numbers to be as low as 50,000 or as high as 10 million.
This morning, as I write this, Global Payments is holding a conference call to provide us all with more information. So, this is what we have directly from the company:
- Up to 1.5m cards records “may” have been affected;
- The incident is contained to North America only;
- Only Track 2 data has been taken (not Track 1 data and not customer name, address, etc.);
- Visa removed Global Payments from a PCI compliance list;
- The incident does not involve any merchants, ISOs or customers and occurred on some “local servers” at Global Payments;
- Due to the ongoing federal investigation, the company can’t be specific about timelines, but did confirm that “about 3 weeks ago” it discovered that some card data “may have been taken” and immediately contacted federal law enforcement agencies and the schemes;
- Customers are “encouraged to be vigilant”. Also, the company is setting up an information site for consumers which should be operational later today: http://www.2012infosecurityupdate.com/
The trading of Global Payments shares was suspended on Friday and the full impact on the company remains to be difficult to estimate at this stage. However, the executives on the call remained positive and stressed that the company:
- Continues to process all card transactions, including Visa;
- Is working with the schemes and other parties to address the situation; “~100 people are working on this”;
- Intends to get its ROC (Record of Compliance) back “as soon as it is humanly possible”;
- Will continue with its planned investments in other areas, but also will “spend even more on security” going forward;
- Expects to come out stronger and more experienced as a result, and believes that their customers will recognise this.
Data breaches are unpleasant, dangerous and costly. They are also a fact of life. In our most recent payment trends report, we called retail payments security as an important focus area for 2012. As commerce environment gets more complex (online, offline, mobile, etc.) and as access points to payments proliferate, security issues are only getting more complex. What are your thoughts on how best to ensure payments security in the digital age?