The US Secret Service is investigating a major cyber
intrusion at an Atlanta-based payment processor that could expose
millions of MasterCard, Visa, American Express and Discover cardholders
to fraudulent charges.
Processor Global Payments Inc said on Friday it
had found "unauthorised access" into its system early in March and
notified law enforcement and financial institutions.
Payment network operators MasterCard Inc, Visa
Inc , American Express Co and Discover Financial Services confirmed they
were affected, along with banks and other franchises that issue cards
bearing their logos.
A spokesman for the Secret Service said the agency is leading investigations into the case but declined to give any details.
Though Global Payments is far from a household
name, middlemen such as the company is prized targets f or hackers
because of the vast amount of sensitive financial information they
handle.
The company's stock fell more than 9 percent on
the news before trading was halted. It said it would discuss the breach
in a phone call for investors on Monday.
It was not immediately clear how Global Payments
was penetrated or how many accounts were exposed. Consumers who detect
fraud usually can be reimbursed. That leaves merchants on the hook
financially, though they could file claims against Global Payments.
Analyst s said MasterCard and Visa are unlikely
to face costs from the breach, but MasterCard shares fell 1.8 percent to
close at $420.54 and Visa shares dropped 0.8 percent to $118.
The security breach is just the latest in a long
string of incidents that have put the personal information of millions
of credit and debit cardholders at risk.
Individual banks and processors said they had
not yet determined the full extent of the breach, but the blog Krebs on
Security, which first reported the breach, said it was "massive" and could affect more than 10 million cardholders.
Some industry experts suggested the figure might
be much lower, perhaps on the order of tens of thousands. Bernstein
Research analyst Rod Bourgeois noted that Global Payments is a
relatively small player in the transactions services industry, servicing
800,000 merchants with a 3.5 percent market share. By contrast, the
largest competitor, First Data, services millions of merchants, with
22.6 percent of the market.
JPMorgan Chase & Co, as well as American
Express and Discover, which issue their own cards, said they are
monitoring customers' accounts and would issue new cards to anyone whose
information may have been compromised.
Citigroup Inc said it has been notified by
processors of the breach. Bank of America Corp declined to comment on
the matter and Wells Fargo & Co said it was too early to comment on
the impact.
Banks and processors emphasized customers would not be held liable for any fraudulent charges that may occur.
Michael Simons, chief executive of real-estate research company Altos Research, said he may have been a victim.
Simons said he was contacted by Bank of America
last week about his Visa card. Although there were no unauthorized
transactions, the representative told him a vendor or law enforcement
agency had flagged his account as compromised and so he would receive a
new one.
"It was very unusual," he said.
PROCESSING PIPELINE
Global Payments, which has about 3,700
employees, was spun off from information-services firm National Data
Corp in 2001. For the fiscal year ended May 31, Global Payment reported
revenue of $1.9 billion, up 13 percent from the year-earlier period.
According to a company presentation in January, it estimated fiscal 2012
revenue at about $2.15 billion.
Global Payments is scheduled to report fiscal
third-quarter results on Wednesday and an improvement is expected. On
Wednesday, Sterner Agee raised its stock price target for Global
Payments to $65 from $58.
Global Payments is one of dozens of companies
that operate along the payment-processing chain, between the time a
person swipes a card to pay and the time the payment is delivered.
The account number, expiration date and possibly
the cardholder's name is sent from the point of payment to a processor,
which then connects to Visa, MasterCard, American Express or Discover.
Information is then sent to the card issuer - often a bank - which
ultimately authorises the transaction.
The actual transfer of money occurs later.
Processing companies, which perform millions of
authorizations each day, are supposed to encrypt card information. But a
breach could occur if someone gains access to the system and identifies
a gap in the encryption.
The information that was likely collected
illegally from Global Payments is called Track 1 and Track 2 data. A
person improperly using the information can transfer the account number
and expiration date to a magnetic strip on a card and then try to use
the card on a website.
Thousands of U.S. banks that issue credit and
debit cards receive daily alerts regarding breaches, said Thomas
McCrohan, an analyst with Jane Capital Markets.
The illegal use of the data could be stymied if
an online merchant asks for the three or four digits printed on a card
known as the "CV code."
"The systems can all be made tighter, but if
they're too tight no transactions would ever be approved," said Edward
Lawrence, a director at Auriemma Consulting Group, a payment systems
consultant. "You still have to allow commerce to occur."
Rep. Mary Bono, a California Republican who
chairs the House Subcommittee on Commerce, Manufacturing and Trade,
condemned the Global Payments breach and urged Congress to adopt
stronger data-security legislation this year.
"You shouldn't have to cross your fingers and
whisper a prayer when you type in a credit card number on your computer
and hit 'enter,'" she said in a statement.
RIPPLE EFFECTS
The breach is the first major instance this year
of consumer information put at risk by technological flaws or hacking,
but there are plenty of examples of massive data breaches in recent
years affecting banks, retailers, technology companies and payment
processors.
Last June, Citigroup said computer hackers
breached the bank's network and accessed data of about 200,000
cardholders in North America.
Sony Corp also reported
several recent attacks, including one last year in which hackers
accessed the personal information on 77 million PlayStation Network
accounts.
Google Inc suffered a major attack on its Gmail
accounts in 2011 that it said appeared to originate in China. Attacks
against Gmail users involved direct attempts to compromise accounts by
tricking users into revealing information - so-called "phishing" - or by
gathering their passwords from other websites, rather than compromising
Google systems, according to the company.
Separately, TJX Co Inc and Heartland Payment Systems Inc have had their systems compromised.
On Friday, retailers were already beginning to
look for fraudulent purchases from the compromised card accounts
stemming from the Global Payments breach. They will bear the financial
brunt of those crimes under rules worked out with the card associations
and issuers, analysts said.
"Our merchant community is sitting here girding
itself and looking at their own fraud-prevention strategies and bracing
for the influx of bad transactions," said Tom Donlea, managing director
for the Americas at the nonprofit Merchant Risk Council. "After
Heartland and after the Sony breach, there was an increase in fraud
activity."
