By Jessica Silver-Greenberg and Nelson D. Schwartz / New York Times News Service
Published: March 31. 2012 4:00AM PST
Visa and MasterCard are investigating whether a data security breach at one of the main companies that processes transactions improperly exposed private customer information, bank officials said Friday. The event highlighted a crucial vulnerability that could affect millions of cardholders.
The breach occurred at Global Payments, an Atlanta company that helps Visa and MasterCard process transactions for merchants. One bank executive estimated that about 1 million to 3 million accounts could be affected. That does not mean all those cards were used fraudulently, but that credit card information on the cardholders was exposed.
The bank official, who insisted on anonymity because the inquiry is at an early stage, said that Visa and MasterCard notified his company Thursday, but that banks had been frustrated with the pace of disclosure by Global Payments. He said that Global Payments, which is one of the biggest transactions processors, had provided little information on where the breaches took place, how accounts were hacked and other details that could indicate which customers might be vulnerable.
Banks said that when they could identify victims, they would notify them and replace credit cards, if necessary.
Bank officials said they were told by Visa and MasterCard that the breach occurred sometime from late January to late February, and included what is known as Track 1 and Track 2 data. That includes details like names, card numbers, validation codes and in some cases, customer addresses.
“Thieves are after high concentrations of credit card numbers, which makes payment processors the perfect target,” said Tim Matthews, a director at Symantec, a security firm.
The processors, including Global Payments, act as the plumbing from merchants to banks, authorizing millions of transactions each day.
With each swipe of a credit card, the card number and other important financial information travels from the merchant to the third-party processors and then to Visa or MasterCard. The data is then forwarded to the bank that issued the card.
The holy grail for hackers is the account information. The goal is to break the data’s encryption as it travels through the payment processor system, said Avivah Litan, a vice president and analyst with Gartner Research, a security firm.
This is the second breach at Global Payments in the past 12 months, according to two individuals briefed on the investigations who spoke on the condition of anonymity because they were not authorized to speak publicly. Another similar attack was disclosed by Heartland Payment Systems in 2009, a breach that began in 2007 and resulted in the exposure of data on 130 million credit cards. Heartland estimated that breach cost it $140 million in fines, settlements and legal fees.
The new possible breach was reported Friday morning by a blog called Krebs on Security. Trading in Global Payments shares was halted around noon but the share price had already dropped 9.1 percent to $47.50.
A spokeswoman for Global Payments declined to comment on whether hackers had struck before. In a statement Friday afternoon, the company said it had identified “unauthorized access into a portion of its processing system,” and had asked for help from external experts in computer security and also contacted federal law enforcement. The Secret Service, which investigates credit card fraud, confirmed that it was looking into the breach.
“It is reassuring that our security processes detected an intrusion,” said Paul Garcia, the chief executive of Global Payments. “It is crucial to understand that this incident does not involve our merchants or their relationships with their customers.”
Electronic payment industry officials also said the latest data thefts were not evidence of a larger problem. “These folks work night and day to secure their systems, but they are connected to millions of merchants around the country and nothing is absolutely foolproof,” said Thomas Goldsmith, a spokesman for the Electronic Transactions Association, a trade group.
MasterCard would not say how many cardholders might have been affected by the attack. The card companies also said they had alerted banks and law enforcement officials to the breach, and emphasized that their own systems had not been compromised.
“We have alerted payment card issuers regarding certain MasterCard accounts that are potentially at risk,” MasterCard said in a statement. A Visa representative said that “there has been no breach of Visa systems.”